Open Bug 1696973 Opened 3 years ago Updated 2 years ago

HTTPS-only mode should indicate when it has upgraded insecure content somehow

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Version:
Firefox 86
Type:
enhancement

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mailto.jchan, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog2])

Attachments

(1 file)

Capture#01.PNG
67.48 KB, image/png
Details
Attached image Capture#01.PNG

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

Steps to reproduce:

HTTPS-Only Mode : Enable HTTPS-Only Mode in all windows
security.mixed_content.block_active_content: true
security.mixed_content.block_display_content: true
security.mixed_content.block_object_subrequest: true

Loaded https://active-mixed-content.glitch.me/

Actual results:

The page displayed the insecure elements while there was no indication by the browser. Attacched image: Capture#01.png

HTTPS-Only Mode : Don’t enable HTTPS-Only Mode
Only the insecure background image is loaded
Attached image: Capture#02.png

Expected results:

Have been expecting in situation #1 (Capture#01.png), that there would be a warning at least in the browser. Did not happen, insecure elements loaded.

In situation #2, the insecure background image alone loaded.
That seemed weird too.

Both the scenarios, appear to be buggy ? Or is that what is to be expected ?

The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → DOM: Security
Product: Firefox → Core

https-only mode upgrades all the requests IN ORDER THAT mixed-content blocking doesn't break pages -- there is no insecure content loaded, so there's nothing to block or warn the user about. The page was written insecurely, but https-only mode fixed it before it caused any insecure actions to happen. Does that make sense? Or am I misunderstanding what you think should happen?

Flags: needinfo?(mailto.jchan)

Thanks for the insight.
It's quite a refreshing to hear that https-only mode upgraded the insecure page.
From a user perspective, instead of marking the upgraded elements as insecure,
marking them as upgraded or secure (since it is no longer insecure),
might provide a sense of relief, I guess ?

Flags: needinfo?(mailto.jchan)
Blocks: MixedContentBlocker
Severity: -- → N/A
Type: defect → enhancement
Priority: -- → P3
Summary: Mixed content upgraded to HTTPS, insecure elements displayed → HTTPS-only mode should indicate when it has upgraded insecure content somehow
Whiteboard: [domsecurity-backlog2]

Is this bug the same as Bug 1653973 or Bug 1163611?

Flags: needinfo?(mailto.jchan)

Redirect a needinfo that is pending on an inactive user to the triage owner.
:freddy, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(mailto.jchan) → needinfo?(fbraun)
Flags: needinfo?(fbraun)

(In reply to opi123 from comment #4)

Is this bug the same as Bug 1653973 or Bug 1163611?

No

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: