Closed
Bug 783299
Opened 12 years ago
Closed 8 years ago
Subresources loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: mozilla, Unassigned)
References
()
Details
(Whiteboard: [js:p2])
Attachments
(1 file)
|
40.51 KB,
image/png
|
Details |
No extensions
Using FF 14.0.1 even in Safe Mode and with a new profile, the URL is completely non-functional while working in Chromium and IE. Error console is full of errors like: Timestamp: 8/16/2012 8:49:52 AM Error: ReferenceError: jQuery is not defined Source File: http://www.southerncalifornia.buyatoyota.com/scripts/jqtransformplugin/jquery.jqtransform.js Line: 369
|
||
Comment 1•12 years ago
|
||
The link works for me with Firefox 14.0.1 on Mac... You're sure you don't have any extensions (esp. ones that block some network access) installed system-wide?
|
Reporter | |
Comment 2•12 years ago
|
||
There are no extensions installed. It is a brand-new install of FF. It could be something unique to the corporate network and/or domain membership, but it doesn't affect Chromium or IE.
|
|
Reporter | |
Comment 3•12 years ago
|
||
|
|
||
Comment 4•12 years ago
|
||
OK. What does your UA string look like? When you view source on the site, do you see this part: <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script> ?
|
|
Reporter | |
Comment 5•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from comment #4) > OK. What does your UA string look like? Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 > When you view source on the site, do you see this part: > > <script > src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></ > script> > > ? Yes. It is the first script element on the page on line #14.
|
|
Reporter | |
Comment 6•12 years ago
|
||
I turned on request/response logging and there's this interesting line: [14:07:57.844] GET https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js [undefined 78ms]
Does that URL work if you load it directly? https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js What about the "http" version? http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
|
|
Reporter | |
Comment 8•12 years ago
|
||
They both work as direct links. I have a feeling this has to do with the fact that my corporate network uses Websense filtering with built-in SSL interception. Although I've OK'd the corporate certificate (that's why it works directly), I suspect there is something in Firefox that's refusing to load that script because the certificate doesn't match the domain.
|
|
Reporter | |
Comment 9•12 years ago
|
||
That's it. I was able to get a prompt asking me to confirm the security exception by trying to load https://ajax.googleapis.com. Once I OK'd that, everything works. I guess the real trouble here is the silent failure. Many businesses, and especially government agencies, use SSL interception firewalls and this behavior breaks some sites without the end user having any hope of even knowing what's happening.
|
|
Reporter | |
Updated•12 years ago
|
Summary: JavaScript Errors Prevent Site from Loading → JavaScript loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate
|
|
Reporter | |
Comment 10•12 years ago
|
||
The reason IE and Chrome do not display this issue is because they use the Windows Certificate Store, which already has the corporate certificate installed. FF has its own store which the user controls, even in a corporate environment (which isn't a bad thing for the user). FF's certificate management was how I discovered that our corporate IT had implemented a MITM attack on all HTTPS traffic. I'm not sure what the right thing to do is, but my initial inclination is that whenever any element of a page experiences a certificate error FF should display the same dialog that it would if the page itself had the same issue.
|
||
Updated•12 years ago
|
Whiteboard: [js:p2]
|
||
Updated•11 years ago
|
Assignee: general → nobody
Component: JavaScript Engine → Security: PSM
Summary: JavaScript loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate → Subresources loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate
The network console or the browser console can be used to diagnose the issue in these cases.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 14•8 years ago
|
||
The issue was already diagnosed. Are you confirming that page elements that aren't loaded due to certificate errors cause the user to be alerted to that failure?
I'm saying if a user needs to investigate a failure like this, they can use those tools. As a result, there's nothing more we need to do here in this bug.
|
|
Reporter | |
Comment 16•8 years ago
|
||
So it's WONTFIX rather than WORKSFORNE.
You need to log in
before you can comment on or make changes to this bug.
Description
•