Closed Bug 445773 Opened 14 years ago Closed 4 years ago
Dynamically loading Flash over http doesn't degrade lock icon state (e
.g . when using Flash Block)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52pre) Gecko/2008071105 Firefox/3.0 And: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a1pre) Gecko/2008071203 Minefield/3.1a1pre Original Flashblock bug: https://www.mozdev.org/bugs/show_bug.cgi?id=19577 Steps to reproduce: 1. Install Flashblock. 2. Visit https://chaseonline.chase.com/Logon.aspx Expected results: 1. A pop up dialog warning you that the data on the page is partially encrypted. 2. Larry says that your connection to this website is not encrypted. Actual results: 1. No pop up warning. 2. Larry says [a] Verified: by VeriSign Trust Network. [b] Your connection to this website is encrypted. Given that flash object coming from a unsecure connection is called "cookiemanager" I think this is slightly worrying.
Is the flash object actually getting loaded?
(In reply to comment #1) > Is the flash object actually getting loaded? I don't think so. Flash objects blocked by Flashblock don't trigger any content policy calls so I am pretty certain that nothing is being loaded. On the site in question only that Flash object is being loaded over an unencrypted connection, seems to be WORKSFORME then.
(In reply to comment #1) > Is the flash object actually getting loaded? I forgot to add that when you click on the flashblock placeholder to activate the flash object (causing it to load from an unencrypted url), *Larry still doesn't sit up and notice*
Yeah. That sounds like a pretty serious issue to me.... I'm also having a hard time believing that it's not already on file.
Is your issue limited to images? It is known that Firefox and SeaMonkey have always been unable to detect insecure images in a secure context, see bug 135007. Can you modify your test to not use an image, but something else, maybe html content, a script or a style sheet? That should all get detected.
This is similar to bug 329869 (scripts) and bug 305282 (images).
Summary: Flashblock makes Firefox identify partially encrypted pages as fully encrypted. → Dynamically loading Flash over http doesn't degrade lock icon state (e.g. when using FlashBlock)
This in fact got fixed by bug 329869.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 329869]
You need to log in before you can comment on or make changes to this bug.