HTTPS-only mode should indicate when it has upgraded insecure content somehow
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
People
(Reporter: mailto.jchan, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog2])
Attachments
(1 file)
67.48 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Steps to reproduce:
Steps to reproduce:
HTTPS-Only Mode : Enable HTTPS-Only Mode in all windows
security.mixed_content.block_active_content: true
security.mixed_content.block_display_content: true
security.mixed_content.block_object_subrequest: true
Loaded https://active-mixed-content.glitch.me/
Actual results:
The page displayed the insecure elements while there was no indication by the browser. Attacched image: Capture#01.png
HTTPS-Only Mode : Don’t enable HTTPS-Only Mode
Only the insecure background image is loaded
Attached image: Capture#02.png
Expected results:
Have been expecting in situation #1 (Capture#01.png), that there would be a warning at least in the browser. Did not happen, insecure elements loaded.
In situation #2, the insecure background image alone loaded.
That seemed weird too.
Both the scenarios, appear to be buggy ? Or is that what is to be expected ?
Comment 1•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::DOM: Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 2•3 years ago
|
||
https-only mode upgrades all the requests IN ORDER THAT mixed-content blocking doesn't break pages -- there is no insecure content loaded, so there's nothing to block or warn the user about. The page was written insecurely, but https-only mode fixed it before it caused any insecure actions to happen. Does that make sense? Or am I misunderstanding what you think should happen?
Thanks for the insight.
It's quite a refreshing to hear that https-only mode upgraded the insecure page.
From a user perspective, instead of marking the upgraded elements as insecure,
marking them as upgraded or secure (since it is no longer insecure),
might provide a sense of relief, I guess ?
Updated•3 years ago
|
Is this bug the same as Bug 1653973 or Bug 1163611?
Comment 5•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:freddy, since the bug has recent activity, could you have a look please?
For more information, please visit auto_nag documentation.
Description
•