Closed
Bug 482245
Opened 16 years ago
Closed 15 years ago
data: channel carrying text/html causes secure pages appear as broken
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
DUPLICATE
of bug 477118
People
(Reporter: mayhemer, Assigned: KaiE)
References
Details
From bug 450912 comment 39:
Install NoScript. Go to https://virtualoffice.lss.ku.edu/NetStorage/ you will need to use the following NoScript settings to simulate the setup and see if the error can be reproduced:
user_pref("capability.policy.maonoscript.javascript.enabled", "allAccess");
user_pref("capability.policy.maonoscript.sites", "about: about:certerror about:config about:neterror about:plugins about:privatebrowsing about:sessionrestore chrome: https://virtualoffice.lss.ku.edu resource:");
user_pref("noscript.allowURLBarJS", false);
user_pref("noscript.autoReload", false);
user_pref("noscript.autoReload.allTabs", false);
user_pref("noscript.autoReload.global", false);
user_pref("noscript.blockCssScanners", true);
user_pref("noscript.blockNSWB", true);
user_pref("noscript.clearClick.exceptions", "");
user_pref("noscript.confirmUnblock", false);
user_pref("noscript.consoleDump", 1);
user_pref("noscript.consoleLog", true);
user_pref("noscript.contentBlocker", true);
user_pref("noscript.ctxMenu", false);
user_pref("noscript.default", "chrome: resource: about:");
user_pref("noscript.docShellJSBlocking", 2);
user_pref("noscript.filterXExceptions",
"^http://([a-z]+)\\.google\\.(?:[a-z]{1,3}\\.)?[a-z]+/(?:search|custom|\\1)\\?\n^http://[a-z]+\\.wikipedia\\.org/wiki/[^\"<>\\?%]+$");
user_pref("noscript.firstRunRedirection", false);
user_pref("noscript.forbidBookmarklets", true);
user_pref("noscript.forbidChromeScripts", true);
user_pref("noscript.forbidFrames", true);
user_pref("noscript.forbidIFrames", true);
user_pref("noscript.forbidIFramesContext", 0);
user_pref("noscript.forbidImpliesUntrust", true);
user_pref("noscript.forbidJarDocumentsExceptions", "");
user_pref("noscript.forbidMetaRefresh", true);
user_pref("noscript.forbidXBL", 5);
user_pref("noscript.gtemp", "");
user_pref("noscript.httpsForced", "virtualoffice.lss.ku.edu");
user_pref("noscript.httpsForcedExceptions", "");
user_pref("noscript.ignorePorts", false);
user_pref("noscript.injectionCheck", 3);
user_pref("noscript.intranetMaskRx", "^(1(27|0|92)\\.[\\d.]+)");
user_pref("noscript.lockPrivilegedUI", true);
user_pref("noscript.notify", false);
user_pref("noscript.notify.bottom", false);
user_pref("noscript.notify.hidePermanent", false);
user_pref("noscript.nselForce", false);
user_pref("noscript.nselNever", true);
user_pref("noscript.opacizeObject", 3);
user_pref("noscript.options.tabSelectedIndexes", "1,0,1");
user_pref("noscript.policynames", "");
user_pref("noscript.secureCookies", true);
user_pref("noscript.secureCookiesForced", ".virtualoffice.lss.ku.edu");
user_pref("noscript.showAllowPage", false);
user_pref("noscript.showBlockedObjects", false);
user_pref("noscript.showDistrust", false);
user_pref("noscript.showDomain", true);
user_pref("noscript.showGlobal", false);
user_pref("noscript.showPermanent", false);
user_pref("noscript.showTempToPerm", false);
user_pref("noscript.showUntrusted", false);
user_pref("noscript.showUntrustedPlaceholder", false);
user_pref("noscript.temp", "");
user_pref("noscript.toolbarToggle", 0);
user_pref("noscript.untrusted", "");
user_pref("noscript.version", "1.9.0.8");
Just cancel out of any login prompt and then click each frame NoScript have blocked from displaying so they are activated, then refresh page. The error should occur then.
Primary analyzes:
It seems that at the moment of refresh one of the channels is text/html,text/html;charset=utf-8,%3Chtml%3E%3Chead%3E%3C%2Fhead%3E%3Cbody%20style%3D%22padding%3A%200px%3B%20margin%3A%200px%22%3E%3Ciframe%20src%3D%22https%3A%2F%2Fvirtualoffice.lss.ku.edu%2FNetStorage%2Fwait.html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C%2Fiframe%3E%3C%2Fbody%3E%3C%2Fhtml%3E
In nsSecureBrowserUIImpl::OnLocationChange it doesn't get ignored. Attachment 366002 [details] [diff] has no affect to this.
I have to figure out further what's going on here.
Reporter | ||
Comment 1•16 years ago
|
||
I can reproduce this even w/o noscript. The leftframe.html page loads two
children: ecmatreeframe.html and wait.html, in this order. From some reason for
wait.html we pickup nsSHEntry in nsDocShell::LoadURI from its parent on offset
1 whom URI is data:text/html from the description. Then the document is being
loaded from that URI. This happens also during first load after I completely
delete web cache.
Mauler, does your application work with data: URIs directly? I have so far no
idea where the entry gets such URI.
However, independently on this, I have created automated tests that reproduce
this problem, data channels really drop security of an otherwise fully secure
page.
Comment 2•16 years ago
|
||
After I disable NoScript I can no longer produce the error. Cleared cache went to page canceled out of the login prompt and then even refreshed page, still page shows up as fully encrypted. After I re-enable NoScript and do the same steps the error occurs. When I look in the Media tab I see the following non-HTTPS content:
resource://noscript_0.4590145972767695/icon32.png
moz-icon://noscript?size=16&contentType=text/html
I do not see data: uri anywhere. =o\, the moz-icon: didn't show up before, it was data: showing up instead. I am using the latest x64 version of Firefox 3.1b4 nightly, and latest NoScript.
Reporter | ||
Comment 3•16 years ago
|
||
I'm not sure I can reproduce it in either way. Have you modified something on the server recently?
Comment 4•16 years ago
|
||
Sorry, its not my server, its an employee Novell storage site. The only thing on my end that would have changed is updating Firefox to a newer nightly version which is done each and every night.
Reporter | ||
Comment 5•16 years ago
|
||
And are you still able to reproduce it?
Comment 6•16 years ago
|
||
https://virtualoffice.lss.ku.edu/NetStorage/images/favicon.ico
https://virtualoffice.lss.ku.edu/NetStorage/images/Head_bg.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/Storage_H1.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/NetStorage_title1.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/NetStorage_title2.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/1px_spacer.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/Novellogo.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/But_Logout1.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/But_Logout2.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/But_Text1.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/But_Text2.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/spacer.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/plastnode.gif
https://virtualoffice.lss.ku.edu/NetStorage/images/folderclosed.gif
resource://noscript_0.27617413779591526/icon32.png
seems to be erratic as to what is showing up. Looks as if resource: is the problem this time. The moz-icon: and the data: one are not showing up during this test, just resource: and the error still occurs.
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1b4pre) Gecko/20090311 Shiretoko/3.1b4pre
Reporter | ||
Comment 7•16 years ago
|
||
CrYpTiC MauleR: I will create a try server build with patch for bug 477118 and a potential patch for this bug. Would you be willing to retry the scenario with that build as I'm no longer able to?
Comment 8•16 years ago
|
||
I'll be more than willing to try it out. Will it be a build where I can just unzip it into /usr/lib/firefox? Provided I delete prior contents beforehand.
Reporter | ||
Comment 9•16 years ago
|
||
Thanks for help with it. It will be a tar.bz2 file. Give me few days, I'm stuck with some more urgent work at the moment. Then I'll post a link to builds to this bugs.
Reporter | ||
Comment 10•16 years ago
|
||
Mauler: I'm sorry for such delay, but I don't have time to fulfill comment 7 in near present (weeks) right at the moment, but I keep this bug closely tracked.
Comment 11•16 years ago
|
||
Not a problem at all, just happy its on the table. =o)
Reporter | ||
Comment 12•15 years ago
|
||
If this particular bug still appears, please re-open. This should be fixed on current 3.5.x and 3.6 releases.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•