Closed Bug 656290 Opened 13 years ago Closed 13 years ago

about:blank shows bogus "Site identity" door hanger missed by bug 590206

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: alex_mayorga, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows NT 6.0; rv:6.0a1) Gecko/20110510 Firefox/6.0a1
Build Identifier: Mozilla/5.0 (Windows NT 6.0; rv:6.0a1) Gecko/20110510 Firefox/6.0a1

For all about: pages but about:blank no site identity is shown.

Reproducible: Always

Steps to Reproduce:
1. Open about:blank
2. Click "Site Identity Button"

Actual Results:  
The door hanger reads:
"This web site does not supply ownership information.
Your connection to this web site is not encrypted. <More Information...>"

Expected Results:  
No door hanger appears.
Blocks: 590206
We explicitely didn't do this for about:blank because that can often be web content so we still want to have the warnings just as for regular webpages. I think this is a wontfix.
indeed
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
I would have thought about:blank was meant to be pure nothingness...
I think it would be better to keep location.protocol unset instead of setting it to http in the about:blank case - https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.js#4271
(In reply to Tanvi Vyas [:tanvi] from comment #4)
> I think it would be better to keep location.protocol unset instead of
> setting it to http in the about:blank case -
> https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.
> js#4271

Why?
(In reply to :Gavin Sharp (use gavin@gavinsharp.com for email) from comment #5)
> (In reply to Tanvi Vyas [:tanvi] from comment #4)
> > I think it would be better to keep location.protocol unset instead of
> > setting it to http in the about:blank case -
> > https://mxr.mozilla.org/mozilla-central/source/browser/base/content/browser.
> > js#4271
> 
> Why?

Because setting it to http suggests in is a plaintext network request.  Setting it to https implies it is a encrypted network request.  Neither is really true, but setting it to http means that it could be considered https in a mixed content case.

Luckily, this doesn't happen in the code because the call to checkIdentity is only using the state right now to set the identity mode (and doesn't consider the location protocol unless its about:(!blank) or chrome:).  I'm writing the mixed content blocker, and will make sure we don't accidentally classify about:blank as mixed content (since it is not sent over the network unencrypted), but this seems like it could cause an error in the future if checkIdentity starts relying more heavily on location.protocol.
You need to log in before you can comment on or make changes to this bug.