Closed
Bug 638535
Opened 14 years ago
Closed 14 years ago
Mixed Content from Twitter and Facebook
Categories
(Websites :: demos.mozilla.org, defect, P1)
Websites
demos.mozilla.org
Tracking
(Not tracked)
VERIFIED
FIXED
1.2
People
(Reporter: ygjb, Unassigned)
Details
(Whiteboard: [infrasec:tls][ws:moderate])
Issue
The demo site contains mixed content loaded from twitter and facebook when loaded via https://.
Steps to Reproduce
Navigate to https://demos.mozilla.org/en-US/ to observe (if you have firebug or a local proxy server you can see the requests via HTTP without TLS.
Remediation
Update requests to the following servers to use SSL:
http://platform.twitter.com/widgets.js
http://platform0.twitter.com/widgets/tweet_button.html
http://static.ak.fbcdn.net/rsrc.php
http://urls.api.twitter.com/1/urls/count.json
http://www.facebook.com/plugins/like.php
|
||
Comment 1•14 years ago
|
||
Austin,
Although we've already launched web of wonder, it would still be good to shore up this issue.
|
||
Updated•14 years ago
|
Priority: -- → P1
Target Milestone: --- → 1.2
|
||
Comment 2•14 years ago
|
||
(In reply to comment #0)
We'll work towards not causing the mixed content warning and url chrome issue... but is there any threat or other issues?
Many of these requests are because we include 3rd part script which don't support an https inclusion.
|
|
||
Comment 3•14 years ago
|
||
The two insecure images are:
Facebook
http://static.ak.fbcdn.net/rsrc.php/v1/zb/r/L6P2fymQtet.png
Twitter
http://platform0.twitter.com/widgets/images/tweet.png
Eight non-ssl scripts are:
TWitter
http://platform.twitter.com/widgets.js?via=firefox
FB
http://static.ak.fbcdn.net/rsrc.php/v1/yZ/r/90BVi3W2YRq.js
http://static.ak.fbcdn.net/rsrc.php/v1/ya/p/r/fqBf4lGU5sK.js
http://static.ak.fbcdn.net/rsrc.php/v1/yu/p/r/XJFvCZMEr0m.js
http://static.ak.fbcdn.net/rsrc.php/v1/yF/p/r/SORnYgoiLre.js
http://static.ak.fbcdn.net/rsrc.php/v1/yk/p/r/WjWeH59TVE1.js
http://static.ak.fbcdn.net/rsrc.php/v1/yb/p/r/TWY_B2Ch2_W.js
http://static.ak.fbcdn.net/rsrc.php/v1/y1/p/r/HtvDZaB-73l.js
One non-ssl css file
FB
http://static.ak.fbcdn.net/rsrc.php/v1/yK/r/tLxBqNdBDah.css
I found a way to fix this for Facebook, using an https iframe. That clears up quite a bit of the http requests.
There is no analogous fix for Twitter attempting to use their JS script over https is aborted due to the invalid SSL cert.
|
|
||
Comment 4•14 years ago
|
||
Dang, that mixed content is frustrating. Especially within chrome and the big red slash through HTTPS.
You're correct though. There is little risk to the end user since they don't enter any sensitive data through this site. However, since its a marketing related site its unfortunate we can't bet our best foot forward from security perspective too.
|
|
||
Comment 5•14 years ago
|
||
I did some searching about twitter. It looks like they don't support SSL (as you observed) and suggest we build our own button.
https://dev.twitter.com/pages/tweet_button_faq
Does the Tweet Button work over HTTPS?
At the moment the Tweet Button does not work over SSL. We are looking into making this possible but for the time being we only support HTTP. If you need to use SSL we recommend you build your own Tweet Button.
https://dev.twitter.com/pages/tweet_button#build-your-own
|
|
||
Comment 6•14 years ago
|
||
(In reply to comment #5)
We have already built our own tweet, which is how we're doing SSL. This does still require us to source their JS which is served over http.
<rant>
Mozilla should look into building and hosting our own "Social Counter"s, so that we protect users privacy, our web app performance, and we don't run into mickey mouse integration issues, like we do with FB and Twitter.
</rant>
Thanks to mcoates and ygjb, we've fixed the FB integration... marking fixed.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
Reporter | |
Updated•13 years ago
|
Group: websites-security, infra, mozilla-corporation-confidential
You need to log in
before you can comment on or make changes to this bug.
Description
•