Closed Bug 769846 Opened 12 years ago Closed 11 years ago

mobile https Google search results pages are mixed-content (partially encrypted)

Categories

(Web Compatibility :: Site Reports, defect)

ARM
Android
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: bug.zilla, Unassigned)

References

()

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Build ID: 20120614114901 Steps to reproduce: (1) Visited https://www.google.co.uk/m (2) Set keyword.url to https://www.google.co.uk/search?hl=en&sky=ee&q= (3) Set keyword.url to https://www.google.co.uk/m?search?ie=UTF-8&oe=utf-8&q= Actual results: (1) Takes you to the secure site and the padlock appears (2) and (3) do not show the padlock Expected results: Padlock appears when visiting (2) and (3) from Firefox desktop, so it should also appear when using Fennec
FIrefox mobile (Fennec) has the same browser engine (Gecko) as desktop but it's a different browser. I'm fairly certain it doesn't support keyword.url and instead uses a completely different mechanism to distinguish searches from URLs (there's no separate search box, it's just one field). I know there's a way to add search providers through add-ons; I'm not sure if there's an easy way to replace one of the built-in ones but that's what you'd have to do. Not a security bug, this is either an enhancement request (want ability to install different version of Google search) or should be closed "worksforme" if that feature exists already.
Group: core-security
I'm pretty sure that mobile Firefox uses a search plugin: http://mxr.mozilla.org/mozilla-central/source/mobile/locales/en-US/searchplugins/google.xml And that it defaults to https://www.google.com for searches. I have no idea if you can change the URL without replacing the search plugin, but the default searches should be secure.
Keyword.url should work. On my phone, we do load the correct https page, but don't show a padlock.
https://www.google.co.uk/m?search?ie=UTF-8&oe=utf-8&q=test does not show a padlock (in desktop or mobile) because it is mixed-content. It uses http for the images on the page. This is a Google issue, not a Firefox bug.
Status: UNCONFIRMED → NEW
Component: General → Evangelism
Ever confirmed: true
OS: Windows 7 → All
QA Contact: general → evangelism
Hardware: x86_64 → All
Summary: Cannot force https on Google searches → mobile https Google search results pages are mixed-content (partially encrypted)
Version: Firefox 16 → Trunk
(In reply to Matt Brubeck (:mbrubeck) from comment #4) > https://www.google.co.uk/m?search?ie=UTF-8&oe=utf-8&q=test does not show a > padlock (in desktop or mobile) because it is mixed-content. It uses http > for the images on the page. This is a Google issue, not a Firefox bug. Is it a security issue to serve sensitive content via SSL and non sensitive content (static images) via plain HTTP? If not, this sounds like a Firefox issue to me.
(In reply to Lawrence Mandel [:lmandel] from comment #5) > Is it a security issue to serve sensitive content via SSL and non sensitive > content (static images) via plain HTTP? If not, this sounds like a Firefox > issue to me. Yes, mixed content is a security risk. Other browsers also display partially-encrypted pages like this one as "insecure"; for example Chrome displays a warning icon over the padlock in the address bar.
I just confirmed that Chrome displays the page with the same warning as Firefox (as Matt said). I'll add this to the list of issues to pass along to Google but it is of note that this issue exists in their own product.
It looks like this has been fixed by Google.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
I can reproduce this issue on the latest Nightly. I type "news" in URL Bar and then I tap on "news" suggestion for Google. Even if the url is a ssl one, the lock is not displayed. The same happens for "mozilla". However, I try this for "home", the site-identity lock is displayed. Reopening bug -- Firefox 18.0a1 (2012-10-08) Device: Galaxy Note OS: Android 4.0.4
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Component: Evangelism → Mobile
OS: All → Android
Product: Firefox for Android → Tech Evangelism
Hardware: All → ARM
Version: Trunk → unspecified
Is this bug still an issue? I tried searching for "news," "mozilla," "home," "puppies," "kittens," etc, but saw the site-identity lock on each search results page. Firefox 19.0a1 (2012-11-06) Device: Samsung Galaxy Nexus OS: Android 4.1.1
I do not see a padlock when entering the URL https://www.google.co.uk/m?search?ie=UTF-8&oe=utf-8&q=test Interestingly, I do see a padlock when searching "news", "home", "puppies", and "kittens" but not when searching "mozilla".
This seems to work just fine now. I haven't seen a missing padlock on a single query.
Status: REOPENED → RESOLVED
Closed: 12 years ago11 years ago
Resolution: --- → WORKSFORME
Blocks: 844556
This wasn't an issue with the Mixed Content Blocker, because no content was blocked back when this bug was filed. Removing the blocker.
No longer blocks: 844556
Product: Tech Evangelism → Web Compatibility
Component: Mobile → Site Reports
You need to log in before you can comment on or make changes to this bug.