Closed Bug 445773 Opened 16 years ago Closed 7 years ago

Dynamically loading Flash over http doesn't degrade lock icon state (e.g. when using FlashBlock)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: philip.chee, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [fixed by bug 329869]) 

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.2pre) Gecko/2008071105
Firefox/3.0

And:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a1pre) Gecko/2008071203
Minefield/3.1a1pre

Original Flashblock bug: https://www.mozdev.org/bugs/show_bug.cgi?id=19577

Steps to reproduce:
1. Install Flashblock.
2. Visit https://chaseonline.chase.com/Logon.aspx

Expected results:
1. A pop up dialog warning you that the data on the page is partially encrypted.
2. Larry says that your connection to this website is not encrypted.

Actual results:
1. No pop up warning.
2. Larry says
  [a] Verified: by VeriSign Trust Network.
  [b] Your connection to this website is encrypted.

Given that flash object coming from a unsecure connection is called "cookiemanager" I think this is slightly worrying.
Is the flash object actually getting loaded?
(In reply to comment #1)
> Is the flash object actually getting loaded?

I don't think so. Flash objects blocked by Flashblock don't trigger any content policy calls so I am pretty certain that nothing is being loaded. On the site in question only that Flash object is being loaded over an unencrypted connection, seems to be WORKSFORME then.
(In reply to comment #1)
> Is the flash object actually getting loaded?

I forgot to add that when you click on the flashblock placeholder to activate the flash object (causing it to load from an unencrypted url), *Larry still doesn't sit up and notice*
So this isn't related to Flashblock at all. The issue is that Larry doesn't catch anything happening after the page loads. E.g. enter the following into the location bar at this page:

javascript:var i = new Image();i.src = "http://insecure.com/";void document.body.appendChild(i);

This will add an image loading from unencrypted HTTP to this page, yet it is still shown as encrypted - all indicators are unchanged.
Yeah.  That sounds like a pretty serious issue to me.... I'm also having a hard time believing that it's not already on file.
Is your issue limited to images? It is known that Firefox and SeaMonkey have always been unable to detect insecure images in a secure context, see bug 135007.

Can you modify your test to not use an image, but something else, maybe html content, a script or a style sheet? That should all get detected.

No, exactly the same happens for scripts:

javascript:var s = document.createElement("script");s.src = "http://insecure.com/";void document.body.appendChild(s);

And in Flashblock's case we have an object.
This is similar to bug 329869 (scripts) and bug 305282 (images).
Blocks: lockicon
Summary: Flashblock makes Firefox identify partially encrypted pages as fully encrypted. → Dynamically loading Flash over http doesn't degrade lock icon state (e.g. when using FlashBlock)
Yeah, I bet fixing bug 329869 will fix this too.
Depends on: 329869
This in fact got fixed by bug 329869.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 329869]
You need to log in before you can comment on or make changes to this bug.