Closed Bug 1597029 Opened 6 years ago Closed 6 years ago

Media loaded via TLS displayed as unencrypted

Categories

(Firefox :: Security, defect, P1)

Product:
Firefox
Component:
Security
Version:
71 Branch
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 74
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox70 --- unaffected
firefox71 --- wontfix
firefox72 --- wontfix
firefox73 --- verified
firefox74 --- verified

People

(Reporter: sven-mozilla, Assigned: johannh)

References

(Regression)

Details

(Keywords: regression)

Attachments

(2 files)

screenshot
1.60 MB, image/png
Details
Bug 1597029 - Set securityInfo for all document types. r=baku
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review
Attached image screenshot

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

  1. Open a direct link to an image via an https-URL (e. g. https://www.faceandfeet-lounge.de/images/banner.jpg)
  2. Open page information (ctrl/cmd + I)
  3. Go to tab security

Actual results:

  1. Page is shown as not encrypted in spite is was delivered via HTTPS by the server.
  2. Button to show certificate is not displayed

(see attached screenshot)

Expected results:

Show how the truth about the HTTPS connection and let users see the certificate chain.

status-firefox70: --- → unaffected
status-firefox71: --- → affected
status-firefox72: --- → affected
Component: Untriaged → Security
Keywords: regression
Regressed by: 1576960

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Security → Security: PSM
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Has Regression Range: --- → yes
Has STR: --- → yes
status-firefox-esr68: --- → unaffected
Component: Security: PSM → Security
Ever confirmed: true
Product: Core → Firefox

Wennie, could you help us triage and find an owner for this regression in 71 please? Thanks

Flags: needinfo?(wleung)

Hi J.C, please take a look at this bug. Thanks!

Flags: needinfo?(wleung) → needinfo?(jjones)

We have shipped our last beta for 71, so this is wontfix for 71.

status-firefox71: affectedwontfix

I can take a look.

Flags: needinfo?(jjones) → needinfo?(jhofmann)

Johann - the path of my suspicion for this one is the changes from Bug 1468222 to nsITransportSecurityInfo.

Huh, so, the regression range is wrong?

Uhhh, no, probably not. Nevermind.

Reproduced on latest Nightly 73.0a1 (2019-12-03) (64-bit) on Windows 10. Also did the regression range and indeed Bug 1576960 regressed this.

status-firefox73: --- → affected

We could still potentially get a fix into 72, Johann is it something you may be able to work on in the next week or should I wontfix for 72?

So the issue seems to be that Document::GetSecurityInfo will sometimes return null even though the corresponding channel has a valid securityInfo object. I suspect the reason is that we're only updating mSecurityInfo for HTML documents, not media documents (so videos are affected by this bug, too)

I suspect that we can just move that code to Document::StartDocumentLoad...

Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
status-firefox74: --- → affected
Flags: needinfo?(jhofmann)
Priority: -- → P1
Summary: Images via TLS displayed as unencrypted → Media loaded via TLS displayed as unencrypted

In StartDocumentLoad we copy the securityInfo reference from the load channel into a document
member variable. This used to happen only for HTML documents, but other documents (e.g. media)
can be loaded via secure channels, too and thus should have securityInfos. We're using the
securityInfo object to display information in the UI, which would previously fail for images and videos.

Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0c6fe9a1e6c7 Set securityInfo for all document types. r=baku

https://hg.mozilla.org/mozilla-central/rev/0c6fe9a1e6c7

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox74: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 74

Please nominate this for Beta approval if you think it's worth doing.

Flags: needinfo?(jhofmann)
Flags: in-testsuite+

Comment on attachment 9119736 [details]
Bug 1597029 - Set securityInfo for all document types. r=baku

Beta/Release Uplift Approval Request

  • User impact if declined: Missing security information on page info for some document types (images, videos)
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: See description, but please also try opening a video in the browser
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Simple, tested patch that moves setting a member attribute on the document to a parent method
  • String changes made/needed: None
Flags: needinfo?(jhofmann)
Attachment #9119736 - Flags: approval-mozilla-beta?
Flags: qe-verify+
QA Whiteboard: [qa-triaged]

Comment on attachment 9119736 [details]
Bug 1597029 - Set securityInfo for all document types. r=baku

Fixes missing security information for some pages. Approved for 73.0b5.

Attachment #9119736 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Managed to reproduce the issue using Fx73.0b4.
The issue is verified fixed using the latest Fx74.0a1 and Fx73.0b5 (treeherder build) on Windows 10, Ubuntu 18 and macOS 10.13. The connection now appears as encrypted and the View Certificate button is displayed.

Status: RESOLVED → VERIFIED
status-firefox73: fixedverified
status-firefox74: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: