Open Bug 1484916 Opened 3 years ago Updated 1 year ago

Firefox for iOS does not show an indicator for "passive" mixed-content

Categories

(Firefox for iOS :: General, defect, P2)

Other
iOS
defect

Tracking

()

People

(Reporter: yigitcnyilmaz, Unassigned, NeedInfo)

Details

(Keywords: privacy, sec-want)

Attachments

(1 file)

Attached video IMG_0742.TRIM.MOV
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce:

1- Open the Firefox
2- Go this website : https://mixed-favicon.badssl.com/


Actual results:

Although a web page icon loads as http, it may appear secure.



Expected results:

Please look at the https://mixed-favicon.badssl.com's source code. You can see favicon icon as https. But if you open favicon file, it' redirecting to http page. This means : favicon file loading as http. This means : web page is not secure. But Firefox show web page as secure

proof of concept:
IMG_0742.TRIM.MOV
Flags: needinfo?(dveditz)
How can i help you ?
We don't actually have a mixed content indicator. I'm not sure what we should do with this bug.

Because of WKWebView we are a bit limited here, but it does have a property that can tell us if the loaded page has mixed content I think.

Dan do you think there is something actionable here? We could turn this into a feature card on our trello board but that means we will need some guidance on the UX side of things.
Flags: needinfo?(dveditz)
https://developer.apple.com/documentation/webkit/wkwebview/1415002-hasonlysecurecontent

"A Boolean value indicating whether all resources on the page have been loaded through securely encrypted connections."

I think this would be nice to expose in some way.
Marking as tracking-fxios so that it will show up in bug triage.
Hello,
I want to learn situation.

Thanks,
Yiğit
Flags: needinfo?(sarentz)
Since we allow the load of mixed "passive" content anyway we're not protecting users from any of the privacy downsides. The indication is a warning to users, but more of a nudge for the site's authors to fix things. We don't need to keep this hidden.

If we're not showing a mixed-content indicator at all that's a bigger deal than just getting the favicon wrong.
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: privacy, sec-want
Summary: Firefox doesn't mark sites with http favicons as mixed content → Firefox for iOS does not show mixed-content
Summary: Firefox for iOS does not show mixed-content → Firefox for iOS does not show an indicator for "passive" mixed-content
Priority: -- → P2
Flags: needinfo?(sarentz) → needinfo?(fpatel)
You need to log in before you can comment on or make changes to this bug.