Created attachment 592390 [details] Warning screenshot User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Build ID: 20111220165912 Steps to reproduce: Enter https://mail.yandex.com. Actual results: "Security Warning" window appear (screenshot attached) Traffic sniffers (Firebug, Charles, SmartSniff and Wireshark) doesn't capture any http requests, there are https and 443 port only. Our guess is that CORS long polling request to https://webchat2.yandex.com triggers this warning. However blank page with that request doesn't reproduce that behaviour. Expected results: No "Security Warning" on these pages. Also some debugging information on these warnings would be very helpful.
Attachment #592390 - Attachment description: Снимок экрана 2012-01-27 в 16.32.57.png → Warning screenshot
Steps to reproduce (updated): 1. Register and login at https://mail.yandex.com. 2. Go to Settings - Chat. 3. Check "Enable chat in Yandex.Mail". 4. "Save changes".
Related to or dupe of bug 506008?
No. There are no redirects from http to https. Also this behaviour introduced in FF9. FF8 doesn't show this warning.
Using testcase in comment 5: WFM: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:22.214.171.124) Gecko/20111212 Firefox/3.6.25 Opera/9.80 (X11; Linux x86_64; U; en) Presto/2.10.229 Version/11.61 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.77 Safari/535.7 Reproduced: Mozilla/5.0 (X11; Linux x86_64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1 Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 Mozilla/5.0 (X11; Linux x86_64; rv:11.0a2) Gecko/20120129 Firefox/11.0a2 Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20120130 Firefox/12.0a1 Last good nightly: 2011-09-21 First bad nightly: 2011-09-22 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e8bd19f6abbb&tochange=4495e1f795c2
OS: Mac OS X → All
Hardware: x86 → All
Version: 9 Branch → Trunk
Maybe bug 444641?
The first bad revision is: changeset: 77221:c237a8550070 user: Boris Zbarsky <firstname.lastname@example.org> date: Tue Sep 20 17:00:42 2011 -0400 summary: Bug 444641 part 3. Propagate the loading principal to the image channel as needed. r=joe,dveditz https://hg.mozilla.org/mozilla-central/rev/c237a8550070
Status: UNCONFIRMED → NEW
Component: Untriaged → General
Ever confirmed: true
Product: Firefox → Core
QA Contact: untriaged → general
Component: General → Security: PSM
QA Contact: general → psm
Attachment #595312 - Flags: review?(kaie)
Assignee: nobody → bzbarsky
Whiteboard: [need review]
Oh, two more things: 1) I really appreciate the problem diagnosis and simple testcase! 2) Kai, how do I add a test for this?
Attachment #595312 - Flags: review?(kaie) → review+
Because this bug is a regression in shown security state, it should be considered for the extended support branch.
tracking-firefox-esr10: --- → ?
> They are in security/manager/ssl/tests/mochitest/mixedcontent. Perfect, that's what I needed. I have a test for this now.
Target Milestone: --- → mozilla13
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
[Triage Comment] tracking for ESR Firefox 13
tracking-firefox-esr10: ? → 13+
Attachment #595312 - Flags: approval-mozilla-esr10?
Attachment #595312 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
status-firefox-esr10: --- → fixed
@ypetrov, can you please confirm this is fixed in latest-mozilla-esr10? ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-esr10/
Verified fixed with Firefox 10.0.5esrpre 2012-05-31.
Status: RESOLVED → VERIFIED
status-firefox-esr10: fixed → verified
You need to log in before you can comment on or make changes to this bug.