Closed Bug 562010 Opened 14 years ago Closed 13 years ago

FireFox generates "connection partially encrypted" warning for pages that contain secure content from multiple domains

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
3.6 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: schwarzenneger, Unassigned)

Details

Attachments

(2 files)

This file should be placed on a webserver and viewed over http connection.
588 bytes, text/html
Details
This file should be placed on a webserver and viewed over https connection.
720 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3

All pages on my website use Google AJAX API.

When the page is viewed on http connection, the API is loaded from http://www.google.com/jsapi?key=

When the page is viewed on https connection, the API is loaded from https://www.google.com/jsapi?key=

User sessions normally start from http pages and at some point they are sent to https page for login and/or credit card entry. First time such a page is opened, the page behaves as some of the content is insecure. The indications include:

* The favicon not turning blue
* An exclamation icon over the padlock icon
* Right click > View Page Info shows "Connection Partially Encrypted" message
* Refreshing the same page fixes the problem.

Google AJAX API is used on various websites and it is probable that two websites might be using same set of files. In such case, above behavior can be observed when user clicks a link on http://domain.com/regular.html to https://another-domain.com/secure.html; the secure.html page will appear as partially encrypted.

Reproducible: Always

Steps to Reproduce:
Need a webserver that is https capable. See attached html files. Where to place the files and how to reproduce the error is documented in the files.



(a) I believe it has something to do with "caching"... Google AJAX APIs send aggressive caching instructions to the browser and may be the browser tries to use http cached version of the file on https pages.

(b) The problem looks very specific but eventually it wont be that way as gurus are recommending to switch to Google CDN servers for dispatching JavaScript libraries.
This file should be placed on a webserver and viewed over http connection. Before uploading, edit the two links in the file to point to your test https servers.
This file should be placed on a webserver and viewed over https connection. In relation to the previous file, this file can be placed on a webserver with same domain as the previous file to test case #1 or on a webserver with another domain name to test case #2.
Attachment #441785 - Attachment description: This file should be placed on a webserver and viewed over http connection. Before uploading, edit the two links in the file to point to your test https servers. → This file should be placed on a webserver and viewed over http connection.
IE8 and Google Chrome do not exhibit this behavior.
Version: unspecified → 3.6 Branch
What should I do to get someone to look at it?
Reporter -> Are you still experiencing this issue? Can you reproduce in safe mode and a new profile? Do you have a live site you can point to that exhibits this problem?
Salman -> Do you have a live site you can point to that exhibits
this problem?
Sorry, I am unable to reproduce the error with FireFox version:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13

You're welcome to close the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: