Closed Bug 181072 Opened 22 years ago Closed 22 years ago

Lock icon showing secure on mixed content page

Categories

(Core Graveyard :: Security: UI, defect, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
x86
Windows 2000
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 135007

People

(Reporter: simon.santoro, Assigned: ssaux)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016 if you have a secure web page (https) loaded in mozilla, and there is an image witch points to an insecure server, mozilla does NOT show the broken padlock. probably this can cause security issues when we try to call a cgi script witch is supposed to show the immage in the <img src=".. tag. code in the secure html page: <img src="http://www.insecureserver.com/img.gif" width="25" height="25" align="absmiddle" border="0"> mozilla does not understand there are mixed contents in the page. personally i did not test something like: <img src="http://www.insecureserver.com/img.cgi" width="25" height="25" align="absmiddle" border="0"> witch could inject some javascript in the calling (secure) page. Reproducible: Always Steps to Reproduce: 1. create a page with an immage witch points to an insecure url (ex.: <img src="http://mozilla.org/images/mozilla-banner.gif"> 2. put that page on a server witch supports ssl (https). 3. load that page in mozilla over https 4. look at the padlock: it's NOT broken. it should. 5. Fix the bug :) Actual Results: mozilla does not understand the loaded page has mixed contents. Expected Results: mozilla shuld understand the loaded page has mixed contents.
psm
Assignee: asa → ssaux
Component: Browser-General → Client Library
Product: Browser → PSM
QA Contact: asa → junruh
Version: Trunk → 2.4
I've added an in-house test case above. There is no warning that the site includes an insecure gif file, the insecure gif file IS displayed, and the lock is locked. The rest of the content is secure. I was under the impression that it was decided to display gifs from insecure sources without a warning, although IE and Nav 4.7X do display a warning. There were previous discussions about this in bug 47496 and bug 28848.
URL: https://pki.mcom.com/secure-frame.html
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
(I shortened the bug's Summary.) John, Is this bug different from bug 47496 in any way? They seem identical to me. Bug 47496 says it's fixed. Has it become unfixed?
Summary: if the <img src=... html tag points to an img on an insecure url, in a secure web page, mozilla does not show the broken padlock. → Lock icon showing secure on mixed content page
I have reported the problem before, this is a dupe of bug 135007. At the current time, we still ignore the security state of loaded images. See bug 135007 and its dependent bug 135011 that is blocking us from fixing this problem. *** This bug has been marked as a duplicate of 135007 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Verified dupe.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.