Closed Bug 333440 Opened 18 years ago Closed 8 years ago

https: Warn if CSS style sheet is not coming from the same server

Categories

(Core :: Security: PSM, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: hauser, Unassigned)

References

(Blocks 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

When adding in my HTML-header a non-https css

<link rel="stylesheet" type="text/css" href="http://my.domain.tld/dir/main.css" />

no warning is issued.


Reproducible: Always

Actual Results:  
No warning is issued (same with MSIE)

Expected Results:  
Have a waring equivalent to the one I get if for example images are served from a different/non-https host

I haven't focused on figuring out an exploit yet. But an easy one is certainly that an insider in an eBanking application can turn certain disclaimers, warnings etc. invisible by setting the font-color of a <div> containing a particular text to the background color.

Sure, this implies that the bank chooses this stupid system set-up in the first place.


appears to be the opposite of the previously reported Bug 292413
> I haven't focused on figuring out an exploit yet.

In both Mozilla and IE, it's possible for a third-party stylesheet to inject JavaScript.  See bug 324253.  So a site that uses https, but grabs stylesheets from http, isn't getting much of the benefit of https.  (In particular, a MITM attack against the stylesheet server would give the attacker XSS-like control over the https pages.)
Blocks: lockicon
So.. shouldn't this put the page in the "mixed" security mode?  Why doesn't it?
Lots of things should put an https page into mixed mode and don't.  I've added many of them to bug 130949.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
I don't like autoclosing bugs, reopening.
Status: RESOLVED → REOPENED
Component: Security → Security: PSM
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → psm
Resolution: INCOMPLETE → ---
Version: unspecified → Trunk
The mixed content blocker fixed this.
Status: REOPENED → RESOLVED
Closed: 14 years ago8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.