542230 - Warning: Contains unauthenticated content triggered by content requested in onunload event handler of a non-encrypted page we're navigating from

Status: RESOLVED DUPLICATE of bug 947079

(Core :: Security, defect)

Description

[Jacek Piszczek]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)

If some content is loaded inside an onunload event handler of an unencrypted site and the website the user is navigating to is encrypted, the certificate validation fails.

Reproducible: Always

Steps to Reproduce:
1. Go to http://gemius.pl/pl/praca/16/01, and click the 'Wypełnij aplikację' link at the bottom of the page
2. You'll navigate to https://www.gemius.pl/pl/praca/16/01/app but the certificate validation will fail due to a gif image downloaded in unload event. See the https://pro.hit.gemius.pl/hmapxy.js script, function ghmxy_save which is called on unload.
3. If you reload the page the certificate validation succeeds.
Actual Results:  
Firefox complained the page isn't secured while it should be.

Expected Results:  
http requests of a page we're navigating from should have no impact on the security of a page we're navigating to

Tested with FF 3.5 and 3.6 builds. FF 3.0 and older do not have this problem.
May be related to https://bugzilla.mozilla.org/show_bug.cgi?id=477118

Comment 1

[zug_treno]

Duplicate of bug 492358?

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit BugBot documentation.