Closed Bug 337897 Opened 18 years ago Closed 11 years ago

Feeds served over HTTPS act insecure (no SSL indicators)

Categories

(Firefox Graveyard :: RSS Discovery and Preview, defect, P3)

Product:
Firefox Graveyard
Component:
RSS Discovery and Preview
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: philor, Unassigned, NeedInfo)

References

(Blocks 1 open bug,
URL
)

Details

STR:

1. For extra fun, set security.warn_leaving_secure to true
2. Go to https://bugzilla.mozilla.org/buglist.cgi?bug_id=333751
3. Click the "RSS" link at the bottom of the list.
4. Get a warning that you are leaving a secure page for an insecure one, and when the feed at https://bugzilla.mozilla.org/buglist.cgi?bug_id=333751&ctype=rss loads note that the addressbar background is white, and that there's no lock icon.
Assignee: nobody → bugs
Priority: -- → P3
Target Milestone: --- → Firefox 2 beta1
Whiteboard: [swag:5d]
Flags: blocking-firefox2+
The reason for this is:

- the original content loads over https (secure)
- the preview page is loaded from a jar channel (insecure)

nsSecureBrowserUIImpl inspects the current channel for securityInfo and uses that to update the browser UI. 

In this "nested" channel situation we have no way of knowing what the securityInfo of the original channel is. 

This will potentially require significant API changes. Since this is lesser priority (worst case is user getting freaked out that content isn't secure when it actually is - anyway https: is still shown in location bar if coloration and lock icon isn't), I'm going to mark this not blocking.
Flags: blocking-firefox2+ → blocking-firefox2-
Keywords: relnote
related with bug 232944?
Flags: blocking1.9?
Keywords: relnote
Target Milestone: Firefox 2 beta1 → Firefox 3 alpha1
Flags: blocking1.9? → blocking-firefox3?
Assignee: bugs → nobody
Flags: blocking-firefox3? → blocking-firefox3-
Whiteboard: [swag:5d] → [wanted-firefox3]
Target Milestone: Firefox 3 alpha1 → ---
Flags: wanted-firefox3+
Whiteboard: [wanted-firefox3]
(In reply to comment #2)
> related with bug 232944?

I would more say no, but might be. At least, I don't believe fixing that bug will be sufficient to fix this one.
Seems more like fixing bug 482245 will help here because we change location of the page to file://.../subscribe.xhtml.
Depends on: 482245
Blocks: lockicon
I promise I searched for this, but I used SSL and not HTTPS in my search. :(
Summary: Feeds served over HTTPS act insecure → Feeds served over HTTPS act insecure (no SSL indicators)
The feed reader component has been mostly demoted in recent versions of Firefox, and we're unlikely to extend or expand on it. The bug mentioned here sounds relatively minor, and unique to the feed reader component, so I'm marking WONTFIX.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Resolution: WORKSFORME → WONTFIX
Appears to be fixed as of Firefox 47.

I'm Running Firefox 47 on OpenBSD-current amd64, getting the correct padlock indicator when viewing RSS feeds over TLS.
FF49.0.2 Mac still shows this error.  Have had to explain to customers that the issue is with Firefox, not services provided by my employ.
Still wontfix for Quantum ?

This bug seems to indicate an asynchrony problem with the way the address bar info shows if a connection is secure.
I also just noticed this. The shape of the web with respect to HTTPS has changed a lot since 2006 when this was filed, and since 2013 when this was marked WONTFIX; the insecure broken padlock indicator is now quite prominent, and I believe may be even more prominent with descriptive text in the very near future.

People keep on reporting this; it’s up to 15 duplicates now, five of them in the last year, and eleven of them since the 2013 WONTFIX resolution. The increased rate of reports is doubtless due to the browser UI changes to emphasise insecurity when (allegedly!) present.

I request a re-evaluation of the status of this bug.
Product: Firefox → Firefox Graveyard

Still busted. And now in the graveyard.

I can't reproduce this - does Firefox even support RSS any more? I thought we removed it.

Flags: needinfo?(mozilla)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #27)

I can't reproduce this - does Firefox even support RSS any more? I thought we removed it.

Bug 1465203 has recent information on how to reproduce.

Open this page: https://blog.mozilla.org/firefox/feed/

You'll get a page with https, but without security indicators.

Oh sorry, I was testing with 60.8

WIth 68.0, I don't get RSS display, but only a download offered.

That's because Mozilla have reconfigured all their feeds to download instead of display. (That is presumably to avoid displaying the underlying XML code as opposed to rendering them in a more human readable form like used to happen before they dropped support for that.) Meanwhile, much of the rest of the web still have their feeds set to display not download:

https://www.usa.gov/rss/updates.xml - Over https
https://feeds.bbci.co.uk/news/england/rss.xml - Over https but with mixed content. XSL transforms used to display feed as HTML.
http://rss.slashdot.org/Slashdot/slashdot - Over http

So, feeds served over HTTPS do seem to display with the correct security indicators.

You need to log in before you can comment on or make changes to this bug.