Closed Bug 58180 Opened 24 years ago Closed 24 years ago

Incorrect security warning on javascript url on SSL site. secure https

Categories

(Core Graveyard :: Security: UI, defect, P3)

1.0 Branch
x86
All
defect

Tracking

(Not tracked)

VERIFIED DUPLICATE of bug 59499

People

(Reporter: paul, Assigned: ddrinan0264)

References

()

Details

BuildID: 20001026?? Mozilla issues a security warning stating "You have requested an insecure document. The document and any information you send back could be observed by a third party while in transit" for a javascript URL retrieved from a secure site when that is not the case. This is a security issue, because any user accessing a site which does this will be forced to disable the security warning (or use another browser) else they will be driven insane. Users should not have to lessen the security of their browsers to work around browser bugs. Reproducible: Always Steps to Reproduce: 1.Load above URL 2.View source and see that there can be no security issue. 3.Click on link and watch mozilla complain. Actual Results: Mozilla complains Expected Results: Mozilla should be happy
>Crypto. Confirmed on the 10/31 branch WinNT build. This does not happen with 4.76 with or without PSM installed.
Assignee: mstoltz → ddrinan
Component: Security: General → Security: Crypto
QA Contact: czhang → junruh
Also occurs on Linux Trunk 2000103108. If this has been confirmed (as per last comment) should it not be moved to 'NEW' status?
OS: Windows 98 → All
Right. Set to new.
Status: UNCONFIRMED → NEW
Ever confirmed: true
This is actually a bug in Communicator, not a bug in Mozilla. Communicator incorrectly accepts javascript and layers/stylesheets from http URLs on https pages. I've been told that the Communicator team is going to pay a bug bounty to the outside person that reported this problem against Communicator. It is my understanding that C4.7x next release will warn users just as Mozilla is reported here as doing. So, I'd say this bug is invalid.
Setting to invalid per nelsonb's comments.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Nelson, junruh, would it be too much to ask to have you actually look at the testcase? There are no documents being retrieved over plain http.
Paul, of course I tested the link, but the link is https. I confirmed the bug on 2000-10-31 15:05.
Reopening. This bug is not what someone told me it was. In this bug, a secure page loads another secure page using a link that uses javascript to load the second secure page. After loading the second page, mozilla clearly thinks the page is not secure, showing the lock as open, even though it was loaded using https, and has no mixed content.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
*** This bug has been marked as a duplicate of 59499 ***
Status: REOPENED → RESOLVED
Closed: 24 years ago24 years ago
Resolution: --- → DUPLICATE
Verified dupe.
Status: RESOLVED → VERIFIED
Mass changing Security:Crypto to PSM
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.1
Mass changing Security:Crypto to PSM
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.