Subresources loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate

RESOLVED WORKSFORME

Status

()

Core
Security: PSM
RESOLVED WORKSFORME
5 years ago
a year ago

People

(Reporter: Jerry Baker, Unassigned)

Tracking

14 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:p2], URL)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Using FF 14.0.1 even in Safe Mode and with a new profile, the URL is completely non-functional while working in Chromium and IE.

Error console is full of errors like:

Timestamp: 8/16/2012 8:49:52 AM
Error: ReferenceError: jQuery is not defined
Source File: http://www.southerncalifornia.buyatoyota.com/scripts/jqtransformplugin/jquery.jqtransform.js
Line: 369
The link works for me with Firefox 14.0.1 on Mac...

You're sure you don't have any extensions (esp. ones that block some network access) installed system-wide?
(Reporter)

Comment 2

5 years ago
There are no extensions installed. It is a brand-new install of FF. It could be something unique to the corporate network and/or domain membership, but it doesn't affect Chromium or IE.
(Reporter)

Comment 3

5 years ago
Created attachment 652487 [details]
No extensions
OK.  What does your UA string look like?

When you view source on the site, do you see this part:

  <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>

?
(Reporter)

Comment 5

5 years ago

(In reply to Boris Zbarsky (:bz) [In and out Aug 1 - 10, out Aug 11-20] from comment #4)
> OK.  What does your UA string look like?

Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

> When you view source on the site, do you see this part:
> 
>   <script
> src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></
> script>
> 
> ?

Yes. It is the first script element on the page on line #14.
(Reporter)

Comment 6

5 years ago
I turned on request/response logging and there's this interesting line:

[14:07:57.844] GET https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js [undefined 78ms]

Comment 7

5 years ago
Does that URL work if you load it directly?

https://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js

What about the "http" version?

http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js
(Reporter)

Comment 8

5 years ago
They both work as direct links. I have a feeling this has to do with the fact that my corporate network uses Websense filtering with built-in SSL interception. Although I've OK'd the corporate certificate (that's why it works directly), I suspect there is something in Firefox that's refusing to load that script because the certificate doesn't match the domain.
(Reporter)

Comment 9

5 years ago
That's it. I was able to get a prompt asking me to confirm the security exception by trying to load https://ajax.googleapis.com. Once I OK'd that, everything works. I guess the real trouble here is the silent failure. Many businesses, and especially government agencies, use SSL interception firewalls and this behavior breaks some sites without the end user having any hope of even knowing what's happening.
(Reporter)

Updated

5 years ago
Summary: JavaScript Errors Prevent Site from Loading → JavaScript loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate
(Reporter)

Comment 10

5 years ago
The reason IE and Chrome do not display this issue is because they use the Windows Certificate Store, which already has the corporate certificate installed. FF has its own store which the user controls, even in a corporate environment (which isn't a bad thing for the user). FF's certificate management was how I discovered that our corporate IT had implemented a MITM attack on all HTTPS traffic.

I'm not sure what the right thing to do is, but my initial inclination is that whenever any element of a page experiences a certificate error FF should display the same dialog that it would if the page itself had the same issue.
Whiteboard: [js:p2]
Assignee: general → nobody
Component: JavaScript Engine → Security: PSM
Summary: JavaScript loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate → Subresources loaded over SSL (HTTPS) silently fails to load if there is an error with the certificate

Updated

2 years ago
Duplicate of this bug: 993103

Updated

2 years ago
Duplicate of this bug: 446554
The network console or the browser console can be used to diagnose the issue in these cases.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 14

a year ago
The issue was already diagnosed. Are you confirming that page elements that aren't loaded due to certificate errors cause the user to be alerted to that failure?
I'm saying if a user needs to investigate a failure like this, they can use those tools. As a result, there's nothing more we need to do here in this bug.
(Reporter)

Comment 16

a year ago
So it's WONTFIX rather than WORKSFORNE.
You need to log in before you can comment on or make changes to this bug.