Remove the Mixed Content Opt-Out in Identity Pane feature (broken for Passive Mixed Content, no longer wanted for active)
Categories
(Core :: DOM: Security, task, P3)
Tracking
()
People
(Reporter: maltejur, Assigned: maltejur)
References
Details
(Whiteboard: [domsecurity-active])
Attachments
(2 files)
Screenshot_20240724_173522.png
To reproduce:
- Use a recent version of Firefox that is already shipping with mixed content level 2 (
security.mixed_content.upgrade_display_content=true) - Visit https://a.httpsonly.polar.onl/mixed-content.html, or any other secure page that contains non-upgradable passive mixed content (like a image) and active mixed content (like a iframe).
- Click on the lock icon in the address bar > "Connection secure" > "Disable protections for now"
- The page should reload now
Expected result: Both the active (iframe) and passive (image) mixed content now loads as expected
Actual result: Only the active mixed content loads, the image is still being blocked
Flipping security.mixed_content.upgrade_display_content to false will make passive mixed content load as expected, so this must have changed with the rollout of mixed content level 2. I heard from Christoph that we may want to remove this UI in the identity pane (lock icon) entirely, as it currently already is quite hidden and used by a very little amount of users. That would of course solve this problem, and would also help with consistency in other components (like HTTPS-Only) which expect mixed content blocking to always be enabled.
|
||
Comment 1•1 year ago
|
||
Wow, I didn't even know we had the option to load insecure active content! That needs to go.
Since we just turned on mixed-passive content upgrading and may have broken images/videos some could argue we could redirect it the button to load the images (and not frames/scripts) instead. That would be a mistake. Chrome has been upgrading for a long time and all non-zombie sites have adjusted. Further, we can normally right-click on a broken item and open it in a new window if you really need to see it. We should just get rid of this button/mechanism entirely. I bet tracking this exception complicates the code a bit, too.
I didn't see this come up in the plans to revamp our address bar tracking/security/permissions panels -- I bet the UX folks didn't know about it either!
Unfortunately the "right-click to open" is also a bit broken now. The fix for that would be elsewhere (in the front-end) so I will file that separately. Option 1 (see below) would provide a work-around, but I doubt it would fix the "open in new tab" bug itself (it might?). Option 2 definitely wouldn't fix it, even though that is otherwise my preferred choice overall.
To summarize the end of comment 0, we have two options:
Option 1
Make "passive mixed content" loading check the "disable protections" state the way active content does
Option 2
Get rid of this mechanism entirely. Simplifies the code and removes an obscure and insecure feature that is no longer needed.
|
||
Comment 2•1 year ago
|
||
Set release status flags based on info from the regressing bug 1779757
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 3•1 year ago
|
||
We're changing this bug to reflect "Option 2" -- a task to get rid of this feature entirely
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Updated•1 year ago
|
|
|
Assignee | |
Comment 5•8 months ago
|
||
Rationale on this can be found in Bug 1909681.
|
||
Comment 6•8 months ago
|
||
I wonder if we should find out how much the block_active_content and block_display_content prefs are used and consider them for a follow up....
|
||
Comment 8•6 months ago
|
||
| bugherder | ||
|
|
||
Updated•6 months ago
|
|
||
Updated•5 months ago
|
Description
•