149207 - Need Security Information independently for each frame

Status: RESOLVED WONTFIX

(Core Graveyard :: Security: UI, enhancement, P3)

Description

[Kai Engert (:KaiE:)]

Expected behaviour:
View "Frame Info" (i.e. page info) should show security information for the frame.

Right now, we don't have independent security information available for each
frame, and bug 138479 recently fixed that we don't display wrong information.

Probably, it will become easier to fix this bug, once bug 140837 has been fixed,
because that bug will need separate security tracking for each frame, too.

Comment 1

[Matthias Versen [:Matti]]

*** Bug 150747 has been marked as a duplicate of this bug. ***

Comment 2

[Boris Zbarsky [:bzbarsky]]

*** Bug 160966 has been marked as a duplicate of this bug. ***

Comment 3

[Matthias Versen [:Matti]]

*** Bug 212844 has been marked as a duplicate of this bug. ***

Comment 4

[John G. Myers]

Mass reassign ssaux bugs to nobody

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody.  Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.

Comment 6

[Christophe Porteneuve]

Guys, why such delay on this one? Separate security tracking for frames has been
requested for over two years!

Because this is not provided yet, I first refused to pay online for my phone
bill, thinking their CC info form was not secure. Their tech support let me know
there were frames involved, and I could check for security by requesting frame
info in Firefox. Indeed, their URL is https (which was enough to quiet me), but
the frame info dialog has no Security tab. This is inconsistent!

Definitely not a blocker, but still, I can't figure why it has been so delayed.

Comment 9

[johannes.guentert]

It's annoying for those users, who want to check the security of a shop, which is embedded into a unsecure frameset! The shop owners get mails from the users "Your site is not secure !"...:(

Comment 11

[Jesse Ruderman]

Johannes, the setup you describe is not safe.  It is possible for the containing page to position its own textboxes to cover the iframe's textboxes.

If anything, your comment is an argument for *not* showing security information for iframes in Page Info -- Firefox should not help site owners mislead customers into thinking that such a setup is secure.

Comment 12

[Johnathan Nightingale [:johnath]]

(In reply to comment #11)
> Johannes, the setup you describe is not safe.  It is possible for the
> containing page to position its own textboxes to cover the iframe's textboxes.
> 
> If anything, your comment is an argument for *not* showing security information
> for iframes in Page Info -- Firefox should not help site owners mislead
> customers into thinking that such a setup is secure.

Exactly - doing this seems like it has the potential to muddy the waters much more than it clears them.  Yes, you could bury it off the "This Frame" submenu, but it would still give you a very misleading impression about your security state.

Kai, this is your bug - do you think the benefits outweigh the risks here?  My thought is to WONTFIX it, to let curious users go This Frame->Show only this frame and then page info, where the report will more accurately reflect reality.  But you are good at thinking of scenarios I haven't.  :)

Comment 13

[Jesse Ruderman]

If we wanted Page Info to be super-informative, it could say that the frame's https is fine, but the frame should be treated as "insecure" because it is embedded in an http page.

Comment 14

[johannes.guentert]

IFRAMEs <-> Framesets ! Why not implement it for framesets?

It should not be possible that unsecure frame-elements position text boxes into
other frames, especially IFRAMEs, is that not a bug itself?

Comment 15

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

The developer console is what should be used here if a user wants an idea of the aggregated security state of a page. Either that or an add-on.