Closed Bug 749525 Opened 12 years ago Closed 12 years ago

Throw an error or warning when a unsafe https resource is being blocked.

Categories

(Core :: Security, enhancement)

Product:
Core
Component:
Security
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 695066

People

(Reporter: jeroen.ooms, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.19 (KHTML, like Gecko) Ubuntu/11.10 Chromium/18.0.1025.151 Chrome/18.0.1025.151 Safari/535.19

Steps to reproduce:

We created a web application for high schools and are hosting it on our CA certified HTTPS host. The web application also has some embedded resources from other HTTPS sites. It embed some js / css files from these hosts: 

https://maps.gstatic.com
https://www.google.com
https://maps.google.com
https://maps.googleapis.com


Actual results:

Teachers and students reported that the website was not working on some computers in some schools. It was working on some other computers. It was very strange and took very long to debug.

It turned out that the schools are using an internal proxy server that filters all HTTP and HTTPS traffic. They do this to prevent students from opening adult sites. However, as a side effect all of the HTTPS requests encrypted with a self-signed certificate on the proxy instead of the actual certificate from the host. 

As a result, for every https site that students open in the browser they get to see the 'unsafe ssl certificate' warning and have to confirm the security exception. I think this is really bad policy from the school, but unfortunately that is out of my control.

However, the reason the sites were not working was because of the embedded https resources from other domains. These were all silently blocked. Instead of issuing a warning that the web application was trying to load content from a host with an self-signed certificate, it would just not do anything.


Expected results:

Whenever firefox blocks an embedded https resource because the ssl certificate is untrusted, it should throw a warning or error. Something to let the developer know.

If you directly open a https website that has an untrusted certificate, you get to see the big warning and you have an option to make a security exception. However, when an unsafe https resource is embedded or called through ajax it is silently blocked. This makes it very hard to debug this problem.
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Does nothing show up in the error console? That's where I'd hope we would be logging this.
See bug 695066 and bug 688810.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.