Closed
Bug 333440
Opened 19 years ago
Closed 9 years ago
https: Warn if CSS style sheet is not coming from the same server
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: hauser, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
When adding in my HTML-header a non-https css
<link rel="stylesheet" type="text/css" href="http://my.domain.tld/dir/main.css" />
no warning is issued.
Reproducible: Always
Actual Results:
No warning is issued (same with MSIE)
Expected Results:
Have a waring equivalent to the one I get if for example images are served from a different/non-https host
I haven't focused on figuring out an exploit yet. But an easy one is certainly that an insider in an eBanking application can turn certain disclaimers, warnings etc. invisible by setting the font-color of a <div> containing a particular text to the background color.
Sure, this implies that the bank chooses this stupid system set-up in the first place.
appears to be the opposite of the previously reported Bug 292413
Comment 1•19 years ago
|
||
> I haven't focused on figuring out an exploit yet.
In both Mozilla and IE, it's possible for a third-party stylesheet to inject JavaScript. See bug 324253. So a site that uses https, but grabs stylesheets from http, isn't getting much of the benefit of https. (In particular, a MITM attack against the stylesheet server would give the attacker XSS-like control over the https pages.)
Blocks: lockicon
Comment 2•19 years ago
|
||
So.. shouldn't this put the page in the "mixed" security mode? Why doesn't it?
Comment 3•19 years ago
|
||
Lots of things should put an https page into mixed mode and don't. I've added many of them to bug 130949.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE. Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
Comment 5•14 years ago
|
||
I don't like autoclosing bugs, reopening.
Status: RESOLVED → REOPENED
Component: Security → Security: PSM
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → psm
Resolution: INCOMPLETE → ---
Version: unspecified → Trunk
Comment 6•9 years ago
|
||
The mixed content blocker fixed this.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 9 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•