Incorrect security warning on javascript url on SSL site. secure https

VERIFIED DUPLICATE of bug 59499

Status

P3
normal
VERIFIED DUPLICATE of bug 59499
18 years ago
2 years ago

People

(Reporter: paul, Assigned: ddrinan0264)

Tracking

1.0 Branch
x86
All

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

18 years ago
BuildID:    20001026??

Mozilla issues a security warning stating "You have requested an insecure 
document. The document and any information you send back could be observed by a 
third party while in transit" for a javascript URL retrieved from a secure site 
when that is not the case.

This is a security issue, because any user accessing a site which does this 
will be forced to disable the security warning (or use another browser) else 
they will be driven insane. Users should not have to lessen the security of 
their browsers to work around browser bugs.

Reproducible: Always
Steps to Reproduce:
1.Load above URL
2.View source and see that there can be no security issue.
3.Click on link and watch mozilla complain.

Actual Results:  Mozilla complains          

Expected Results:  Mozilla should be happy

Comment 1

18 years ago
>Crypto. Confirmed on the 10/31 branch WinNT build. This does not happen with 
4.76 with or without PSM installed.
Assignee: mstoltz → ddrinan
Component: Security: General → Security: Crypto
QA Contact: czhang → junruh
(Reporter)

Comment 2

18 years ago
Also occurs on Linux Trunk 2000103108. If this has been confirmed (as per last
comment) should it not be moved to 'NEW' status?
OS: Windows 98 → All

Comment 3

18 years ago
Right. Set to new.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is actually a bug in Communicator, not a bug in Mozilla.
Communicator incorrectly accepts javascript and layers/stylesheets 
from http URLs on https pages.  
I've been told that the Communicator team is going to pay a 
bug bounty to the outside person that reported this problem
against Communicator.  It is my understanding that C4.7x
next release will warn users just as Mozilla is reported
here as doing.  

So, I'd say this bug is invalid.

Comment 5

18 years ago
Setting to invalid per nelsonb's comments.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → INVALID
(Reporter)

Comment 6

18 years ago
Nelson, junruh, would it be too much to ask to have you actually look at the testcase? There are no documents being retrieved over plain http.

Comment 7

18 years ago
Paul, of course I tested the link, but the link is https. I confirmed the bug on  
2000-10-31 15:05.
Reopening.  This bug is not what someone told me it was.

In this bug, a secure page loads another secure page using
a link that uses javascript to load the second secure page.

After loading the second page, mozilla clearly thinks the page
is not secure, showing the lock as open, even though it was
loaded using https, and has no mixed content.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Comment 9

18 years ago

*** This bug has been marked as a duplicate of 59499 ***
Status: REOPENED → RESOLVED
Last Resolved: 18 years ago18 years ago
Resolution: --- → DUPLICATE

Comment 10

18 years ago
Verified dupe.
Status: RESOLVED → VERIFIED

Comment 11

17 years ago
Mass changing Security:Crypto to PSM
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.1

Comment 12

17 years ago
Mass changing Security:Crypto to PSM

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.