Closed Bug 518280 Opened 15 years ago Closed 15 years ago

data: URIs (URLs) in SSL (Secure) webpages considered unauthenticated content

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 477118

People

(Reporter: dev+mozilla, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

When data: URIs (URLs) are loaded on an SSL-enabled webpage, the data: URI should be considered secure because its entire content is on the SSL webpage. If the webpage is authenticated and encrypted, then naturally, the data URI must be authenticated and encrypted as well.

However, Firefox 3.5 does not consider the data: URI to be encrypted or authenticated, so it warns the user of unauthenticated content. I believe this is a regression. I do not recall Firefox 3 or 2 treating a webpage as "partially encrypted" if it contained a data: URI.

Reproducible: Always

Steps to Reproduce:
1. Open an SSL webpage containing a data: URI.
2. Observe.
Alternative:
1. Open an SSL webpage.
2. Add a data: URI to the webpage using a DOM manipulator such as the DOM Inspector or Firebug.
3. Observe.
Actual Results:  
The webpage is considered to contain unauthenticated content.

Expected Results:  
Webpage should stay fully secure when data URIs are present. The lock icon should stay fully locked (without an exclamation blit), and there should be no warning.

Because the flag is wrong, the information in the Security tab is wrong too. The Security tab says:
"Technical Details
"Connection Partially Encrypted
"Parts of the page you are viewing were not encrypted before being transmitted over the Internet."

If the data: URI is the cause of this message, the message is incorrect. Of course, the solution is to fix the underlying bug rather than the message.
Flags: blocking-firefox3.6?
Summary: data: URIs (URLs) in SSL (Secure) Webpages considered unauthenticated content → data: URIs (URLs) in SSL (Secure) webpages considered unauthenticated content
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Note that I'm assuming you were testing with an image.  Firefox 2 and 3 didn't ever degrade security state for images, period (bug 135007).
Status: RESOLVED → VERIFIED
Thanks. I searched for this issue but bug 477118 did not come up for whatever reason.
Flags: blocking-firefox3.6?
The default search only searches open and duplicate issues, iirc.
You need to log in before you can comment on or make changes to this bug.