Closed Bug 793538 Opened 12 years ago Closed 12 years ago

Padlock displays if http content is redirected to https

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
15 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 418354

People

(Reporter: garrett.reid, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_2) AppleWebKit/536.26.14 (KHTML, like Gecko) Version/6.0.1 Safari/536.26.14

Steps to reproduce:

A website loaded over https doesn't show a padlock icon if there's insecure content. This is correct, because an attacker on the network could tamper with a resource and cause the page to do Bad Things®™.

However, if those resources are redirected to https, firefox shows the padlock icon - regardless of what domain the secured content is coming from.

POC: https://garrettreid.com/firefox_test.html

I've put a redirect in place on the URL http://garrettreid.com/good_script.js to represent an attacker tampering with traffic.


Actual results:

Firefox saw a request for a script over http, hit a redirect (which could be put in by an attacker), and went off and loaded evil_script.js instead of good_script.js. So far, nothing unusual.

However, since the redirect was to a https resource, firefox shows the padlock icon. Even though the resource is unrelated to original.


Expected results:

Padlock icon should not appear in menu bar in this case. (Safari shows no lock icon, chromium shows a padlock but doesn't seem to execute the script)
after talking with :gavin, sending Security:PSM & adding Honza.
Component: Untriaged → Security: PSM
Product: Firefox → Core
Bug 62178 has recently landed (on 2012-09-17).  So it is definitely in the current latest Nightly (http://nightly.mozilla.org/).

Garrett, can you please check we will load the unsecured content even with that bug fixed?
Just download latest nightly (19.0a1 2012-10-15), and this still reproduces.
I have turned on security.mixed_content.block_active_content and security.mixed_content.block_display_content prefs that are by default false (introduced in bug 62178).

I tested your POC with the current Nightly and I'm getting "This page is not modified" and a pad lock.

I created a simple secured page that refers an http located image that redirects to secure image.  The image doesn't load on the page (as expected) and the pad lock is shown.


This is a dupe of a different bug, tho.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.