Closed
Bug 181072
Opened 22 years ago
Closed 22 years ago
Lock icon showing secure on mixed content page
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 135007
People
(Reporter: simon.santoro, Assigned: ssaux)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016
if you have a secure web page (https) loaded in mozilla, and there is an image
witch points to an insecure server, mozilla does NOT show the broken padlock.
probably this can cause security issues when we try to call a cgi script witch
is supposed to show the immage in the <img src=".. tag.
code in the secure html page:
<img src="http://www.insecureserver.com/img.gif" width="25" height="25"
align="absmiddle" border="0">
mozilla does not understand there are mixed contents in the page.
personally i did not test something like:
<img src="http://www.insecureserver.com/img.cgi" width="25" height="25"
align="absmiddle" border="0">
witch could inject some javascript in the calling (secure) page.
Reproducible: Always
Steps to Reproduce:
1. create a page with an immage witch points to an insecure url (ex.: <img
src="http://mozilla.org/images/mozilla-banner.gif">
2. put that page on a server witch supports ssl (https).
3. load that page in mozilla over https
4. look at the padlock: it's NOT broken. it should.
5. Fix the bug :)
Actual Results:
mozilla does not understand the loaded page has mixed contents.
Expected Results:
mozilla shuld understand the loaded page has mixed contents.
Comment 1•22 years ago
|
||
psm
Assignee: asa → ssaux
Component: Browser-General → Client Library
Product: Browser → PSM
QA Contact: asa → junruh
Version: Trunk → 2.4
Comment 2•22 years ago
|
||
I've added an in-house test case above. There is no warning that the site
includes an insecure gif file, the insecure gif file IS displayed, and the lock
is locked. The rest of the content is secure. I was under the impression that it
was decided to display gifs from insecure sources without a warning, although IE
and Nav 4.7X do display a warning.
There were previous discussions about this in bug 47496 and bug 28848.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Comment 3•22 years ago
|
||
(I shortened the bug's Summary.)
John,
Is this bug different from bug 47496 in any way? They seem identical to me.
Bug 47496 says it's fixed. Has it become unfixed?
Summary: if the <img src=... html tag points to an img on an insecure url, in a secure web page, mozilla does not show the broken padlock. → Lock icon showing secure on mixed content page
Comment 4•22 years ago
|
||
I have reported the problem before, this is a dupe of bug 135007.
At the current time, we still ignore the security state of loaded images.
See bug 135007 and its dependent bug 135011 that is blocking us from fixing this
problem.
*** This bug has been marked as a duplicate of 135007 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•