Warning: Contains unauthenticated content triggered by content requested in onunload event handler of a non-encrypted page we're navigating from

RESOLVED INACTIVE

Status

()

Core
Security
--
major
RESOLVED INACTIVE
8 years ago
3 days ago

People

(Reporter: Jacek Piszczek, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

If some content is loaded inside an onunload event handler of an unencrypted site and the website the user is navigating to is encrypted, the certificate validation fails.

Reproducible: Always

Steps to Reproduce:
1. Go to http://gemius.pl/pl/praca/16/01, and click the 'Wypełnij aplikację' link at the bottom of the page
2. You'll navigate to https://www.gemius.pl/pl/praca/16/01/app but the certificate validation will fail due to a gif image downloaded in unload event. See the https://pro.hit.gemius.pl/hmapxy.js script, function ghmxy_save which is called on unload.
3. If you reload the page the certificate validation succeeds.
Actual Results:  
Firefox complained the page isn't secured while it should be.

Expected Results:  
http requests of a page we're navigating from should have no impact on the security of a page we're navigating to

Tested with FF 3.5 and 3.6 builds. FF 3.0 and older do not have this problem.
May be related to https://bugzilla.mozilla.org/show_bug.cgi?id=477118

Comment 1

8 years ago
Duplicate of bug 492358?

Comment 2

3 days ago
Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 days ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.