Closed
Bug 58180
Opened 24 years ago
Closed 24 years ago
Incorrect security warning on javascript url on SSL site. secure https
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
People
(Reporter: paul, Assigned: ddrinan0264)
References
()
Details
BuildID: 20001026??
Mozilla issues a security warning stating "You have requested an insecure
document. The document and any information you send back could be observed by a
third party while in transit" for a javascript URL retrieved from a secure site
when that is not the case.
This is a security issue, because any user accessing a site which does this
will be forced to disable the security warning (or use another browser) else
they will be driven insane. Users should not have to lessen the security of
their browsers to work around browser bugs.
Reproducible: Always
Steps to Reproduce:
1.Load above URL
2.View source and see that there can be no security issue.
3.Click on link and watch mozilla complain.
Actual Results: Mozilla complains
Expected Results: Mozilla should be happy
Comment 1•24 years ago
|
||
>Crypto. Confirmed on the 10/31 branch WinNT build. This does not happen with
4.76 with or without PSM installed.
Assignee: mstoltz → ddrinan
Component: Security: General → Security: Crypto
QA Contact: czhang → junruh
Reporter | ||
Comment 2•24 years ago
|
||
Also occurs on Linux Trunk 2000103108. If this has been confirmed (as per last
comment) should it not be moved to 'NEW' status?
OS: Windows 98 → All
Comment 4•24 years ago
|
||
This is actually a bug in Communicator, not a bug in Mozilla.
Communicator incorrectly accepts javascript and layers/stylesheets
from http URLs on https pages.
I've been told that the Communicator team is going to pay a
bug bounty to the outside person that reported this problem
against Communicator. It is my understanding that C4.7x
next release will warn users just as Mozilla is reported
here as doing.
So, I'd say this bug is invalid.
Comment 5•24 years ago
|
||
Setting to invalid per nelsonb's comments.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 6•24 years ago
|
||
Nelson, junruh, would it be too much to ask to have you actually look at the testcase? There are no documents being retrieved over plain http.
Comment 7•24 years ago
|
||
Paul, of course I tested the link, but the link is https. I confirmed the bug on
2000-10-31 15:05.
Comment 8•24 years ago
|
||
Reopening. This bug is not what someone told me it was.
In this bug, a secure page loads another secure page using
a link that uses javascript to load the second secure page.
After loading the second page, mozilla clearly thinks the page
is not secure, showing the lock as open, even though it was
loaded using https, and has no mixed content.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Comment 9•24 years ago
|
||
*** This bug has been marked as a duplicate of 59499 ***
Status: REOPENED → RESOLVED
Closed: 24 years ago → 24 years ago
Resolution: --- → DUPLICATE
Comment 11•23 years ago
|
||
Mass changing Security:Crypto to PSM
Component: Security: Crypto → Client Library
Product: Browser → PSM
Version: other → 2.1
Comment 12•23 years ago
|
||
Mass changing Security:Crypto to PSM
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•