Open
Bug 1484916
Opened 6 years ago
Updated 2 years ago
Firefox for iOS does not show an indicator for "passive" mixed-content
Categories
(Firefox for iOS :: General, defect, P2)
Tracking
()
NEW
People
(Reporter: yigitcnyilmaz, Unassigned, NeedInfo)
Details
(Keywords: privacy, sec-want)
Attachments
(1 file)
|
1.98 MB,
video/quicktime
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Steps to reproduce:
1- Open the Firefox
2- Go this website : https://mixed-favicon.badssl.com/
Actual results:
Although a web page icon loads as http, it may appear secure.
Expected results:
Please look at the https://mixed-favicon.badssl.com's source code. You can see favicon icon as https. But if you open favicon file, it' redirecting to http page. This means : favicon file loading as http. This means : web page is not secure. But Firefox show web page as secure
proof of concept:
IMG_0742.TRIM.MOV
|
||
Updated•6 years ago
|
Flags: needinfo?(dveditz)
|
Reporter | |
Comment 1•6 years ago
|
||
How can i help you ?
|
||
Comment 2•6 years ago
|
||
We don't actually have a mixed content indicator. I'm not sure what we should do with this bug.
Because of WKWebView we are a bit limited here, but it does have a property that can tell us if the loaded page has mixed content I think.
Dan do you think there is something actionable here? We could turn this into a feature card on our trello board but that means we will need some guidance on the UX side of things.
|
|
||
Updated•6 years ago
|
Flags: needinfo?(dveditz)
|
|
||
Comment 3•6 years ago
|
||
https://developer.apple.com/documentation/webkit/wkwebview/1415002-hasonlysecurecontent
"A Boolean value indicating whether all resources on the page have been loaded through securely encrypted connections."
I think this would be nice to expose in some way.
|
|
||
Updated•6 years ago
|
tracking-fxios:
--- → ?
|
|
||
Comment 4•6 years ago
|
||
Marking as tracking-fxios so that it will show up in bug triage.
|
|
Reporter | |
Comment 5•6 years ago
|
||
Hello,
I want to learn situation.
Thanks,
Yiğit
Flags: needinfo?(sarentz)
|
|
||
Comment 6•6 years ago
|
||
Since we allow the load of mixed "passive" content anyway we're not protecting users from any of the privacy downsides. The indication is a warning to users, but more of a nudge for the site's authors to fix things. We don't need to keep this hidden.
If we're not showing a mixed-content indicator at all that's a bigger deal than just getting the favicon wrong.
|
|
||
Updated•6 years ago
|
Summary: Firefox for iOS does not show mixed-content → Firefox for iOS does not show an indicator for "passive" mixed-content
|
||
Updated•6 years ago
|
Priority: -- → P2
|
|
||
Updated•6 years ago
|
Flags: needinfo?(sarentz) → needinfo?(fpatel)
|
||
Updated•5 years ago
|
tracking-fxios:
+ → ---
|
||
Comment 7•3 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:jeevans, since the bug has high priority, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(fpatel) → needinfo?(jeevans)
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•