Closed
Bug 1437999
Opened 6 years ago
Closed 6 years ago
Mixed-content blocker fails on simple page
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mozillabugs, Unassigned)
Details
Attachments
(2 files)
The mixed-content blocker improperly displays a green lock icon for a simple HTML page that loads a Javascript via http from a different domain, if the domain is referenced by an IP address instead of a name. The attached POC demonstrates the problem. Use it as follows: 1. Configure a webserver to serve https. 2. Edit bug_598b_poc_1.htm to use the webserver's IP address instead of "127.0.0.1". 3. Put both POC files on the webserver. 4. Edit a client machine's HOSTS file (or the local DNS, if you prefer) to map the name "foosite" to the webserver's IP address and flush the client machine's DNS cache. 5. Load the POC in FF on the client machine, using the address "https://foosite/bug_598b_poc_1.htm". Notice that the address bar contains a green lock, and that the message "Script loaded!" appears in an alert box. Also notice that the lock doorhanger says "Secure Connection". 6. Verify that the script file was loaded over http by examining the webserver's log. If you edit bug_598b_poc_1.htm to refer to the webserver by name (e.g., "barsite") and add that name to HOSTS/DNS, FF refuses to load the script. It (only sometimes!) logs a "Blocked loading mixed active content" message to the browser log, but oddly does not display a broken lock in the address bar, though the lock doorhanger displays a warning.
Reporter | ||
Comment 1•6 years ago
|
||
Reporter | ||
Comment 2•6 years ago
|
||
Hmm, it looks like the mixed-content blocker has an exception for 127.0.0.1. When I use a different IP address, it works correctly. I'm marking this bug as invalid.
Reporter | ||
Updated•6 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
Updated•4 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•