Open Bug 1484916 Opened 3 years ago Updated 1 year ago
Firefox for i
OS does not show an indicator for "passive" mixed-content
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Steps to reproduce: 1- Open the Firefox 2- Go this website : https://mixed-favicon.badssl.com/ Actual results: Although a web page icon loads as http, it may appear secure. Expected results: Please look at the https://mixed-favicon.badssl.com's source code. You can see favicon icon as https. But if you open favicon file, it' redirecting to http page. This means : favicon file loading as http. This means : web page is not secure. But Firefox show web page as secure proof of concept: IMG_0742.TRIM.MOV
How can i help you ?
We don't actually have a mixed content indicator. I'm not sure what we should do with this bug. Because of WKWebView we are a bit limited here, but it does have a property that can tell us if the loaded page has mixed content I think. Dan do you think there is something actionable here? We could turn this into a feature card on our trello board but that means we will need some guidance on the UX side of things.
https://developer.apple.com/documentation/webkit/wkwebview/1415002-hasonlysecurecontent "A Boolean value indicating whether all resources on the page have been loaded through securely encrypted connections." I think this would be nice to expose in some way.
Marking as tracking-fxios so that it will show up in bug triage.
Hello, I want to learn situation. Thanks, Yiğit
Since we allow the load of mixed "passive" content anyway we're not protecting users from any of the privacy downsides. The indication is a warning to users, but more of a nudge for the site's authors to fix things. We don't need to keep this hidden. If we're not showing a mixed-content indicator at all that's a bigger deal than just getting the favicon wrong.
Summary: Firefox for iOS does not show mixed-content → Firefox for iOS does not show an indicator for "passive" mixed-content
Flags: needinfo?(sarentz) → needinfo?(fpatel)
You need to log in before you can comment on or make changes to this bug.