Closed Bug 1735105 Opened 4 years ago Closed 2 years ago

autoupgrade and block resources if they fail to load over https://

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox95 --- affected

People

(Reporter: karlcow, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Whiteboard: [domsecurity-backlog3])

  1. With Firefox 95 Nightly
  2. Go to a site using https with images sent as http

Expected:
Images being displayed

Actual:
Images are being blocked.

The three browsers here have different strategies.

  1. Firefox blocks the mixed content
  2. Safari Tech Preview let it go through with a warning in the console.
  3. Blink (Edge) tries to upgrade to https and if the loading is failing, blocks the image.

I'm setting Webcompat P2 because this is a major difference of behavior in between browsers.

Blocks: MixedContentBlocker
Severity: -- → S3
Priority: -- → P3
See Also: → 1734006
Whiteboard: [domsecurity-backlog3]

The actual site seems to be broken in both Chrome and Firefox now.

Is this bug still valid i.e. are we still shipping a different strategy to other browsers?

Webcompat Priority: P2 → ---
Flags: needinfo?(dveditz)

I don't believe we ever blocked mixed image content, unless someone fiddled with their own prefs.

The actual site seems to be broken in both Chrome and Firefox now.

Yes, I believe the site itself is broken. Without a screenshot I'm not sure what the old state was, but currently I don't see "images are blocked"; the page is full of images that load just fine. The main article picture of the illusion uses an http: URL and that one single image is broken.

The site itself serves a strict-transport-security header, so despite having an "http:" URL in its content, all the browsers will attempt to load https: instead. If you load the http: image directly (for example, using cURL) you get a 301 to the https: equivalent. So no matter what a browser's strategy wrt mixed-content, it's going to try to load the https:// version of the .gif. But that file doesn't seem to exist and returns a text/html 404 page which results in a broken image no matter how you got there.

Is this bug still valid i.e. are we still shipping a different strategy to other browsers?

We are, but I believe WPT for the mixed-content spec covers those differences (see bug 1514396). Release Firefox will load mixed-content images as was described as Safari behavior (Mixed-Content Blocking version 1), and that should have been the Firefox behavior well before this bug was filed. Chrome upgrades mixed-content images (Mixed-content blocking version 2), as does Firefox Nightly (not riding the trains... experiments are checking breakage).

Because the site itself is broken I doubt this bug is helping anything.

Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.