509287 - security dialog should explain Fx3.5 partially encrypted with http images change and identify unencrypted components

Status: RESOLVED WORKSFORME

(Core Graveyard :: Security: UI, defect)

Description

[al_9x]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Is this change in behavior from 3.0 to 3.5 deliberate?  What are the reasons?

If this this is a security enhancement, because the page is less secure with http images then why does 3.0 not get it?

If deliberate, this change should include some explanation to the user when such a page is encountered, otherwise it is Fx3.5 that appears broken as all prior version don't show partial encryption

Reproducible: Always

Comment 1

[Wladimir Palant]

See bug 135007 and bug 305284.

Comment 2

[al_9x]

Did it not occur to anyone at Mozilla that when users upgrade to 3.5 and all of a sudden various encrypted pages turn partial, they will think Fx is broken, especially considering that Fx does not make it too obvious what's not encrypted?

The security dialog needs to explain this change and identify the unencrypted components.

Comment 3

[Edward]

I am going to open a new bug, but I am seeing somewhat similar behavior with the Linux version of SeaMonkey 2.0.  If I go to what should be an encrypted login page, the lock at the bottom will appear in red, indicating some items on the page are not SSL.  However if I select Reload, the same login page correctly loads in and the lock changes to yellow, indicating all items are SSL.  This occurs quite frequently on such login pages.

Comment 4

[Dana Keeler (she/her) [:keeler]]

The source of the mixed content should be pretty obvious now from the devtools (either in the web console or the network console).