Closed Bug 145730 Opened 22 years ago Closed 22 years ago

repeated "encrypted page" alerts

Categories

(Core Graveyard :: Security: UI, defect, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: bugZ, Assigned: KaiE)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: regression, Whiteboard: [adt1 rtm] [ETA 6/20])

Attachments

(1 file, 4 obsolete files)

Updated simpler patch, aUri renamed to uri
1.19 KB, patch
KaiE
: review+
KaiE
: superreview+
jud
: approval+
Details | Diff | Splinter Review 
win32 trunk build 2002051708 (and the 05/19 build), win98se

At the main login page for Wells Fargo online banking, an alert displays that an
encrypted page was requested, as expected.  In the online bill paying area,
virtually every linked page results in 2 alerts - the first is "you are leaving
an encrypted page", the second is "you have requested an encrypted page".   The
expectation is that once logged into the secure site, the encrypted page alerts
shouldn't display within the same banking session.  builds 2002051508 and
2002051204 behave as expected.

Steps to reproduce:
1.  In Prefs - Privacy & Security, turn on SSL warnings
2.  Go to https://banking.wellsfargo.com and log in
3.  Select Bill Pay
4.  Select View Pending Payments - the 2 alerts display.  The expectation is
that they do not.

Observation 1: The repeated alerts do no occur in the "Account Summary" area of
the site.

Observation 2: The Account Summary area of the site uses absolute paths for
virtually every link, i.e.
<form...
ACTION="https://mn1-gx4-ib.banking.wellsfargo.com/cgi-bin/session.cgi?sessargs=<whatever>"
<a
href="https://mn1-gx4-ib.banking.wellsfargo.com/cgi-bin/session.cgi?sessargs=<whatever>"

The Bill Paying area uses many js links and relative paths, i.e.
<form... ACTION="../SummaryInformation/pgUpdateStatus.<whatever>"
<a
href="JavaScript:Validate('bnReviewPayments','bnReviewPayments_onWebEvent(bnReviewPayments,0)','0');">
cc aruner
We can't investigate this unless we have a log in to wellsfargo.com
Reporter, can you try today's build and see if this is still happening?
win32 trunk build 061408 - still happening.

Click on a link or submit button that goes to a javascript:"function()" rather
than another https://url seems to be at the root of it.

Immediately after clicking the link, the "you are leaving an encrypted page"
message pops up and the security icon in the status bar switches to unlocked. 
When the next page starts loading, the "you have requested an encrypted page"
message pops up and the icon changes back to locked.
Confirming. This appears to be a regression, since I already have an in-house 
test case setup. 
1.) Visit https://pki.mcom.com/tests.html - a secure site.
2.) In the lower left, click on the link "Secure Popup" - 
JavaScript:openNewWindow('https://pki.mcom.com/popup.html','popup',400,400)
What is expected: Since the original page is secure and the popup is secure, 
there should be no warning or change in lock icon status.
What happens: I get a warning stating that I am leaving a secure site, and also 
the lock on the main page changes to a broken lock icon.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: nsbeta1
OS: Windows 98 → All
Priority: -- → P3
Hardware: PC → All
Version: 1.01 → 2.3
Blocks: lockicon
-> me
Assignee: ssaux → kaie
John, I confirm that I see the same behaviour, and we should look into it.
However, I would like to confirm that both web sites are indeed the same problems.
Your testcases uses JavaScript.

K Chayka: When you have logged in to that site, please do the following: Move
the mouse over one of those links that trigger that double alert - but do not
click it. In the status bar of the window (at the bottom of the window) there
should be information about the link. Does that text start with "JavaScript:"?

John, I would like to separate your comment into two different issues:
1.) The "leaving security" issue, which is shown for the currently displayed
(already open) window.
2.) The issue that opening a secure window from a secure window does again show
an "encrypted" alert.

It seems to me 2.) is not a new behaviour. I can see that in old 0.9.4 builds as
well. If you agree and think we should change that, I suggest we could file a
new RFE bug.


I looked into 1.)
The behaviour is indeed a regression and was caused by the patch to bug 144056.
That bug tried to make sure that the lock icon will get reset, whatever content
type will be loaded in the top level document. Obviously, the JavaScript type
should have been filtered out, since no new content gets loaded in that case.

I made a test with a trunk build and having the patch from 144056 reverted, and
the test case did not show a "leaving crypto" warning for the already open page,
and the lock icon stayed secure. (However, the new opened window still shows the
warning / 2.))

I should have read this bug more carefully, I realize that K already reported
that JavaScript: links are the cause of the problem. Thanks.
Attached patch Patch, but probably too slow? (obsolete) — Splinter Review 
This patch fixes the problem for me.
It makes the assumption, that we can ignore the progress event triggered by the
JavaScript action. It assumes that we will further events if the JS actually
triggers loading new content into the displayed window. I don't know whether
that assumption can be made or not.
The problem with my patch is, that we receive many many progress events, and we
now have to construct and stringcompare("javascript:") the nsIRequest.name of
every request.

I was unable to find a different way to decide, whether the received nsIRequest
is indicating a JS action. bbaetz and biesi on IRC suggested, I could look look
at the URI and use schemeIs - but for URLs like 
  javascript:openNewWindow('https://pki.mcom.com/popup.html','popup',400,400)
I do NOT get "javascript" as the scheme, I get "https"...

Background: The security code is tracking all loading progress, to decide what
the current summarized security status is, in order to show a correct lock icon
state and correct security transition warnings.

This patch creates a new (empty) interface that nsJSChannel implements, so we
can QI to it. If we can, we know it's JS.
bbaetz suggested, we nsIJSChannel should inherit from nsIChannel, and
nsJSChannel should inherit only from nsIJSChannel.
Attachment #87937 - Attachment is obsolete: true
Attached patch Simpler patch (obsolete) — Splinter Review 
Actually I made a mistake while trying out my patch. I accidentially looked at
the wrong URI instance :-(

This is a simple patch that uses the approach that was suggested by many
people, checking the scheme for the notified URI in the request, and ignore it
if it is JavaScript. To my testing, if the JS causes the document to change, we
will receive more progress events for the loaded content, and because of that,
ignoring the JS event seems safe to do.
Attachment #87934 - Attachment is obsolete: true
Attachment #87938 - Attachment is obsolete: true
Javi, can you please review?
Status: NEW → ASSIGNED
Keywords: nsbeta1nsbeta1+, regression
Whiteboard: [adt1 rtm]
Comment on attachment 87957 [details] [diff] [review]
Simpler patch

sr=darin
Attachment #87957 - Flags: superreview+
Comment on attachment 87957 [details] [diff] [review]
Simpler patch

r/sr=jst too if you rename aURI to uri. Naming local variables a_something_
conflicts with our naming scheme for method aruments.
Attachment #87957 - Flags: review+
Whiteboard: [adt1 rtm] → [adt1 rtm] [ETA 6/19]
As requested
Attachment #87957 - Attachment is obsolete: true
Comment on attachment 88124 [details] [diff] [review]
Updated simpler patch, aUri renamed to uri

carrying forward reviews
Attachment #88124 - Flags: superreview+
Attachment #88124 - Flags: review+
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
John, can you please verify? Can you try to find regressions on JavaScript pages?
Thanks.

win32 build 2002061808

Just tried Wells Fargo online banking where I originally experienced this.
No more alerts on js links, just on entering and leaving the secure site.
Groovy :-)
Keywords: adt1.0.1, mozilla1.0.1
Verified on trunk. Looks good to me.
Status: RESOLVED → VERIFIED
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch, pending
driver's approval. pls check this in asap, then add the "fixed1.0.1" keyword.
Keywords: adt1.0.1adt1.0.1+, approval
Whiteboard: [adt1 rtm] [ETA 6/19] → [adt1 rtm] [ETA 6/20]
Attachment #88124 - Flags: approval+
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+"
keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
Checked in to 1_0 branch.
Keywords: adt1.0.1+, mozilla1.0.1+fixed1.0.1
Verified on 6/23 branch.
Keywords: fixed1.0.1verified1.0.1
Product: PSM → Core
Version: psm2.3 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: