Feeds served over HTTPS act insecure (no SSL indicators)
Categories
(Firefox Graveyard :: RSS Discovery and Preview, defect, P3)
Tracking
(Not tracked)
People
(Reporter: philor, Unassigned, NeedInfo)
References
(Blocks 1 open bug, )
Details
STR: 1. For extra fun, set security.warn_leaving_secure to true 2. Go to https://bugzilla.mozilla.org/buglist.cgi?bug_id=333751 3. Click the "RSS" link at the bottom of the list. 4. Get a warning that you are leaving a secure page for an insecure one, and when the feed at https://bugzilla.mozilla.org/buglist.cgi?bug_id=333751&ctype=rss loads note that the addressbar background is white, and that there's no lock icon.
Updated•18 years ago
|
Updated•18 years ago
|
Updated•18 years ago
|
Comment 1•18 years ago
|
||
The reason for this is: - the original content loads over https (secure) - the preview page is loaded from a jar channel (insecure) nsSecureBrowserUIImpl inspects the current channel for securityInfo and uses that to update the browser UI. In this "nested" channel situation we have no way of knowing what the securityInfo of the original channel is. This will potentially require significant API changes. Since this is lesser priority (worst case is user getting freaked out that content isn't secure when it actually is - anyway https: is still shown in location bar if coloration and lock icon isn't), I'm going to mark this not blocking.
Comment 2•18 years ago
|
||
related with bug 232944?
Updated•18 years ago
|
Updated•18 years ago
|
Updated•17 years ago
|
Updated•17 years ago
|
Reporter | ||
Updated•17 years ago
|
Updated•17 years ago
|
Comment 3•15 years ago
|
||
(In reply to comment #2) > related with bug 232944? I would more say no, but might be. At least, I don't believe fixing that bug will be sufficient to fix this one.
Comment 4•15 years ago
|
||
Seems more like fixing bug 482245 will help here because we change location of the page to file://.../subscribe.xhtml.
Comment 7•15 years ago
|
||
I promise I searched for this, but I used SSL and not HTTPS in my search. :(
Comment 10•11 years ago
|
||
The feed reader component has been mostly demoted in recent versions of Firefox, and we're unlikely to extend or expand on it. The bug mentioned here sounds relatively minor, and unique to the feed reader component, so I'm marking WONTFIX.
Updated•11 years ago
|
Comment 15•8 years ago
|
||
Appears to be fixed as of Firefox 47. I'm Running Firefox 47 on OpenBSD-current amd64, getting the correct padlock indicator when viewing RSS feeds over TLS.
Comment 16•8 years ago
|
||
FF49.0.2 Mac still shows this error. Have had to explain to customers that the issue is with Firefox, not services provided by my employ.
Comment 24•6 years ago
|
||
Still wontfix for Quantum ? This bug seems to indicate an asynchrony problem with the way the address bar info shows if a connection is secure.
Comment 25•6 years ago
|
||
I also just noticed this. The shape of the web with respect to HTTPS has changed a lot since 2006 when this was filed, and since 2013 when this was marked WONTFIX; the insecure broken padlock indicator is now quite prominent, and I believe may be even more prominent with descriptive text in the very near future. People keep on reporting this; it’s up to 15 duplicates now, five of them in the last year, and eleven of them since the 2013 WONTFIX resolution. The increased rate of reports is doubtless due to the browser UI changes to emphasise insecurity when (allegedly!) present. I request a re-evaluation of the status of this bug.
Updated•5 years ago
|
Comment 26•5 years ago
|
||
Still busted. And now in the graveyard.
I can't reproduce this - does Firefox even support RSS any more? I thought we removed it.
Comment 28•5 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #27)
I can't reproduce this - does Firefox even support RSS any more? I thought we removed it.
Bug 1465203 has recent information on how to reproduce.
Open this page: https://blog.mozilla.org/firefox/feed/
You'll get a page with https, but without security indicators.
Comment 29•5 years ago
|
||
Oh sorry, I was testing with 60.8
WIth 68.0, I don't get RSS display, but only a download offered.
Comment 30•5 years ago
|
||
That's because Mozilla have reconfigured all their feeds to download instead of display. (That is presumably to avoid displaying the underlying XML code as opposed to rendering them in a more human readable form like used to happen before they dropped support for that.) Meanwhile, much of the rest of the web still have their feeds set to display not download:
https://www.usa.gov/rss/updates.xml - Over https
https://feeds.bbci.co.uk/news/england/rss.xml - Over https but with mixed content. XSL transforms used to display feed as HTML.
http://rss.slashdot.org/Slashdot/slashdot - Over http
So, feeds served over HTTPS do seem to display with the correct security indicators.
Comment hidden (spam) |
Comment hidden (spam) |
Description
•