Closed Bug 234663 Opened 16 years ago Closed 16 years ago
Mozilla/Firefox doesn't warn on insecure content (image) contained on secure page
User-Agent: Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 In the page at https://library2.uncc.edu/ssltest.html , Mozilla nor Firefox warns user about page containing insecure content, in this case an image served via http. All previous versions of Netscape and IE, warn the user when this is a condition. Gist: page is served via https, but image tag refers to http served image. Browser should warn. This is bad because image could contain tracker code which grabs information off secure page. Reproducible: Always Steps to Reproduce: 1. Load https://library2.uncc.edu/ssltest.html 2. OK through the certificate errors (self-generated) 3. Browser doesn't warn. Loads insecure image as if nothing was wrong. Actual Results: Browser doesn't warn. Loads insecure image as if nothing was wrong. Expected Results: The browser should have warned about some insecure content, then not load the insecure content (Netscape Communicator's behavior). Netscape's warning message is: You have requested a secure document that contains some insecure information. The insecure information will not be shown. For more information on security choose Document Information from the View menu. IE's warning message is: This page contains both secure and nonsecure items. Do you want to display the nonsecure items? Yes/No/More Info buttons are presented. Tested in both Firefox 0.8 and Mozilla 1.3, and problem is same in both. I assume codebase or library is shared, making both affected.
The test page is timing out for me.
(In reply to comment #1) > The test page is timing out for me. There may be firewall issues. Here is the contents of the page: ------ Test<P> <IMG SRC="http://library.uncc.edu/graphics/libdept.jpg"><P> ------ Just a simple page containing a http called image. However, a bad person could lace that image with additional code to capture variables from the secure page.
My testing of Mozilla 1.7 beta and current firefox nightly builds suggests that we do warn on insecure content within a secure page. See https://sourceforge.net/ which first throws the "entering a secure site" warning, then a second or two later throws the "secure site with insecure content" warning and shows the broken secure lock icon in the statusbar.
Interesting, Asa, I do NOT get a warning or a broken lock icon on https://sourceforge.net, but page info does show an insecure image from http://google-ssl.osdn.net. LiveHTTPHeaders doesn't show a hit on that site though dupe of non-confidential bug, removing flag *** This bug has been marked as a duplicate of 135007 ***
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Component: Security: General → Client Library
Product: Browser → PSM
Resolution: --- → DUPLICATE
Version: Trunk → unspecified
You need to log in before you can comment on or make changes to this bug.