Open Bug 439942 Opened 16 years ago Updated 2 years ago

Images (etc) with invalid ssl certificates don't trigger a cert dialog

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: alessandro.sturniolo, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.14) Gecko/20080410 SUSE/2.0.0.14-0.1 Firefox/2.0.0.14
Build Identifier: Firefox 3.0

If in a https web page is included an element via https from another site (with different certificates), this elements is not showed, and the browser not propose to accept furthers certificates.

Reproducible: Always

Steps to Reproduce:
1. Create an https web page with an element (for example an image) loaded from another site with different certificates.
2. Load the web page with firefox 3.0

Actual Results:  
The elements from other sites are the browser not propose to accept furthers certificates.

Expected Results:  
The browser have to propose to the user to accept further certificates from other sites.

In Firefox 2.x the browser propose to accept all other certificates required to load all external elements.
Sam, this sounds like a scenario that would open up to cross-site forgery, so I tend to think we should close as INVALID or WONTFIX.  But maybe I don't understand what's going on.  What is your take?
I think this should be WONTFIX.  See bug 399876 for some related discussion.  Maybe the error message in the Error Console can include a link to the error page, which lets you add an exception ;)
Component: General → Embedding: Docshell
Product: Firefox → Core
QA Contact: general → docshell
Summary: Cross site https elements → Images (etc) with invalid ssl certificates don't trigger a cert dialog
Version: unspecified → Trunk
Definitely WONTFIX – in my opinion – for most of the reasons in bug 399876.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.