Closed Bug 234663 Opened 16 years ago Closed 16 years ago

Mozilla/Firefox doesn't warn on insecure content (image) contained on secure page

Categories

(Core Graveyard :: Security: UI, defect, critical)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 135007

People

(Reporter: dbspry, Assigned: security-bugs)

References

(
URL
)

Details

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8

In the page at https://library2.uncc.edu/ssltest.html , Mozilla nor Firefox
warns user about page containing insecure content, in this case an image served
via http.  All previous versions of Netscape and IE, warn the user when this is
a condition.

Gist: page is served via https, but image tag refers to http served image. 
Browser should warn.  This is bad because image could contain tracker code which
grabs information off secure page.

Reproducible: Always
Steps to Reproduce:
1.  Load https://library2.uncc.edu/ssltest.html
2.  OK through the certificate errors (self-generated)
3.  Browser doesn't warn.  Loads insecure image as if nothing was wrong.

Actual Results:  
Browser doesn't warn.  Loads insecure image as if nothing was wrong.

Expected Results:  
The browser should have warned about some insecure content, then not load the
insecure content (Netscape Communicator's behavior).

Netscape's warning message is:
You have requested a secure document that contains some insecure information. 
The insecure information will not be shown.  For more information on security
choose Document Information from the View menu.

IE's warning message is:
This page contains both secure and nonsecure items.  Do you want to display the
nonsecure items?  Yes/No/More Info buttons are presented.

Tested in both Firefox 0.8 and Mozilla 1.3, and problem is same in both.  I
assume codebase or library is shared, making both affected.
The test page is timing out for me.
(In reply to comment #1)
> The test page is timing out for me.

There may be firewall issues.

Here is the contents of the page:

------
Test<P>

<IMG SRC="http://library.uncc.edu/graphics/libdept.jpg"><P>
------

Just a simple page containing a http called image.  However, a bad person could
lace that image with additional code to capture variables from the secure page.  


My testing of Mozilla 1.7 beta and current firefox nightly builds suggests that
we do warn on insecure content within a secure page. See
https://sourceforge.net/ which first throws the "entering a secure site"
warning, then a second or two later throws the "secure site with insecure
content" warning and shows the broken secure lock icon in the statusbar.
Interesting, Asa, I do NOT get a warning or a broken lock icon on
https://sourceforge.net, but page info does show an insecure image from
http://google-ssl.osdn.net. LiveHTTPHeaders doesn't show a hit on that site though

dupe of non-confidential bug, removing flag

*** This bug has been marked as a duplicate of 135007 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Component: Security: General → Client Library
Product: Browser → PSM
Resolution: --- → DUPLICATE
Version: Trunk → unspecified
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.