Closed Bug 482245 Opened 15 years ago Closed 15 years ago

data: channel carrying text/html causes secure pages appear as broken

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 477118

People

(Reporter: mayhemer, Assigned: KaiE)

References

Details

From bug 450912 comment 39:

Install NoScript. Go to https://virtualoffice.lss.ku.edu/NetStorage/ you will need to use the following NoScript settings to simulate the setup and see if the error can be reproduced:

user_pref("capability.policy.maonoscript.javascript.enabled", "allAccess");
user_pref("capability.policy.maonoscript.sites", "about: about:certerror about:config about:neterror about:plugins about:privatebrowsing about:sessionrestore chrome: https://virtualoffice.lss.ku.edu resource:");
user_pref("noscript.allowURLBarJS", false);
user_pref("noscript.autoReload", false);
user_pref("noscript.autoReload.allTabs", false);
user_pref("noscript.autoReload.global", false);
user_pref("noscript.blockCssScanners", true);
user_pref("noscript.blockNSWB", true);
user_pref("noscript.clearClick.exceptions", "");
user_pref("noscript.confirmUnblock", false);
user_pref("noscript.consoleDump", 1);
user_pref("noscript.consoleLog", true);
user_pref("noscript.contentBlocker", true);
user_pref("noscript.ctxMenu", false);
user_pref("noscript.default", "chrome: resource: about:");
user_pref("noscript.docShellJSBlocking", 2);
user_pref("noscript.filterXExceptions",
"^http://([a-z]+)\\.google\\.(?:[a-z]{1,3}\\.)?[a-z]+/(?:search|custom|\\1)\\?\n^http://[a-z]+\\.wikipedia\\.org/wiki/[^\"<>\\?%]+$");
user_pref("noscript.firstRunRedirection", false);
user_pref("noscript.forbidBookmarklets", true);
user_pref("noscript.forbidChromeScripts", true);
user_pref("noscript.forbidFrames", true);
user_pref("noscript.forbidIFrames", true);
user_pref("noscript.forbidIFramesContext", 0);
user_pref("noscript.forbidImpliesUntrust", true);
user_pref("noscript.forbidJarDocumentsExceptions", "");
user_pref("noscript.forbidMetaRefresh", true);
user_pref("noscript.forbidXBL", 5);
user_pref("noscript.gtemp", "");
user_pref("noscript.httpsForced", "virtualoffice.lss.ku.edu");
user_pref("noscript.httpsForcedExceptions", "");
user_pref("noscript.ignorePorts", false);
user_pref("noscript.injectionCheck", 3);
user_pref("noscript.intranetMaskRx", "^(1(27|0|92)\\.[\\d.]+)");
user_pref("noscript.lockPrivilegedUI", true);
user_pref("noscript.notify", false);
user_pref("noscript.notify.bottom", false);
user_pref("noscript.notify.hidePermanent", false);
user_pref("noscript.nselForce", false);
user_pref("noscript.nselNever", true);
user_pref("noscript.opacizeObject", 3);
user_pref("noscript.options.tabSelectedIndexes", "1,0,1");
user_pref("noscript.policynames", "");
user_pref("noscript.secureCookies", true);
user_pref("noscript.secureCookiesForced", ".virtualoffice.lss.ku.edu");
user_pref("noscript.showAllowPage", false);
user_pref("noscript.showBlockedObjects", false);
user_pref("noscript.showDistrust", false);
user_pref("noscript.showDomain", true);
user_pref("noscript.showGlobal", false);
user_pref("noscript.showPermanent", false);
user_pref("noscript.showTempToPerm", false);
user_pref("noscript.showUntrusted", false);
user_pref("noscript.showUntrustedPlaceholder", false);
user_pref("noscript.temp", "");
user_pref("noscript.toolbarToggle", 0);
user_pref("noscript.untrusted", "");
user_pref("noscript.version", "1.9.0.8");

Just cancel out of any login prompt and then click each frame NoScript have blocked from displaying so they are activated, then refresh page. The error should occur then.

Primary analyzes:
It seems that at the moment of refresh one of the channels is text/html,text/html;charset=utf-8,%3Chtml%3E%3Chead%3E%3C%2Fhead%3E%3Cbody%20style%3D%22padding%3A%200px%3B%20margin%3A%200px%22%3E%3Ciframe%20src%3D%22https%3A%2F%2Fvirtualoffice.lss.ku.edu%2FNetStorage%2Fwait.html%22%20width%3D%22100%25%22%20height%3D%22100%25%22%3E%3C%2Fiframe%3E%3C%2Fbody%3E%3C%2Fhtml%3E

In nsSecureBrowserUIImpl::OnLocationChange it doesn't get ignored. Attachment 366002 [details] [diff] has no affect to this.

I have to figure out further what's going on here.
I can reproduce this even w/o noscript. The leftframe.html page loads two
children: ecmatreeframe.html and wait.html, in this order. From some reason for
wait.html we pickup nsSHEntry in nsDocShell::LoadURI from its parent on offset
1 whom URI is data:text/html from the description. Then the document is being
loaded from that URI. This happens also during first load after I completely
delete web cache.

Mauler, does your application work with data: URIs directly? I have so far no
idea where the entry gets such URI.

However, independently on this, I have created automated tests that reproduce
this problem, data channels really drop security of an otherwise fully secure
page.
After I disable NoScript I can no longer produce the error. Cleared cache went to page canceled out of the login prompt and then even refreshed page, still page shows up as fully encrypted. After I re-enable NoScript and do the same steps the error occurs. When I look in the Media tab I see the following non-HTTPS content:

resource://noscript_0.4590145972767695/icon32.png

moz-icon://noscript?size=16&contentType=text/html

I do not see data: uri anywhere. =o\, the moz-icon: didn't show up before, it was data: showing up instead. I am using the latest x64 version of Firefox 3.1b4 nightly, and latest NoScript.
I'm not sure I can reproduce it in either way. Have you modified something on the server recently?
Sorry, its not my server, its an employee Novell storage site. The only thing on my end that would have changed is updating Firefox to a newer nightly version which is done each and every night.
And are you still able to reproduce it?
CrYpTiC MauleR: I will create a try server build with patch for bug 477118 and a potential patch for this bug. Would you be willing to retry the scenario with that build as I'm no longer able to?
I'll be more than willing to try it out. Will it be a build where I can just unzip it into /usr/lib/firefox? Provided I delete prior contents beforehand.
Thanks for help with it. It will be a tar.bz2 file. Give me few days, I'm stuck with some more urgent work at the moment. Then I'll post a link to builds to this bugs.
Blocks: 337897
Mauler: I'm sorry for such delay, but I don't have time to fulfill comment 7 in near present (weeks) right at the moment, but I keep this bug closely tracked.
Not a problem at all, just happy its on the table. =o)
Blocks: lockicon
If this particular bug still appears, please re-open.  This should be fixed on current 3.5.x and 3.6 releases.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.