Closed Bug 812760 Opened 12 years ago Closed 8 years ago

Firefox gives spurious non-encrypted content warnings when closing FancyBox due to about:blank load in subframe

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
16 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: bugzilla.mozilla, Unassigned, NeedInfo)

References

Details

(Whiteboard: [psm-padlock]) 

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121026114414

Steps to reproduce:

1. Visit https://www.simbahosting.co.uk
2. Click on "Contact" towards the top right. A FancyBox opens.
3. Close the FancyBox


Actual results:

Firefox puts up a "You have requested an encrypted page that contains some unencrypted information." warning. However, wireshark (listening on all interfaces) and Firefox's Net Console all show that there is no request being made or other traffic anywhere when the FancyBox is closed. Neither is any non-https: link findable in the source code.

I've checked this in Opera and Chrome and Internet Explorer and none of those reported the phantom non-encrypted content. The warning appears to be entirely bogus.


Expected results:

The FancyBox closes without any spurious non-SSL warnings.
I can't reproduce this with
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:19.0) Gecko/19.0 Firefox/19.0

I tried to open/close the contact page multiple times
Same as Matti on Win 7.
(I am the original bug reporter). I just tried it on Firefox 16.0.2 on Windows XP - no error appears. So the error appears to be restricted to Linux (also Firefox 16.0.2 - the stock build from Fedora). It is not restricted to the contact page; there are several FancyBox uses on the site (with a valid login) - they all manifest the problem. Closing the FancyBox for the first time on any page always brings up a spurious non-encrypted content warning.
Are there any extensions involved?  Does the problem appear in safe mode?
I ran:

/usr/bin/firefox -safe-mode

FireFox popped up a window to confirm it was in safe mode. Same results: the spurious warning is still there.
Thanks.  I can't see the popup, but I do see the page transition to the no-security state.  The problem seems to be that there's an about:blank load in a subframe that for some reason the security UI decides to treat as an insecure load.  That's ... quite weird.
Status: UNCONFIRMED → NEW
Component: General → Security
Ever confirmed: true
Summary: Firefox gives spurious non-encrypted content warnings when closing FancyBox → Firefox gives spurious non-encrypted content warnings when closing FancyBox due to about:blank load in subframe
(In reply to Boris Zbarsky (:bz) from comment #6)
> Thanks.  I can't see the popup

mixed content warning does not pop up due to Bug 799009.

I think this is bug 506008 .
Depends on: 506008
(In reply to Alice0775 White from comment #7)
> (In reply to Boris Zbarsky (:bz) from comment #6)
> > Thanks.  I can't see the popup
> 
> mixed content warning does not pop up due to Bug 799009.

That change landed for Firefox 19. This is reported against Firefox 16. So, Boris, you may want to try with a beta or release build.
Component: Security → Security: UI
My point was that in a trunk build, I see the SSL indicator go away and logging the security UI stuff shows us leaving the "encrypted" state when that about:blank load happens.
(In reply to bugzilla.mozilla from comment #3)
> (I am the original bug reporter). I just tried it on Firefox 16.0.2 on
> Windows XP - no error appears. So the error appears to be restricted to
> Linux (also Firefox 16.0.2 - the stock build from Fedora). It is not
> restricted to the contact page; there are several FancyBox uses on the site
> (with a valid login) - they all manifest the problem. Closing the FancyBox
> for the first time on any page always brings up a spurious non-encrypted
> content warning.

I just tested this on a Mac using Firefox 16.0.2 and everything looks fine.  Why is this a linux specific error?  As far as I know, our security ui code is not platform specific.

It looks like https://mxr.mozilla.org/mozilla-central/source/security/manager/boot/src/nsSecureBrowserUIImpl.cpp#822 makes an exception for protocols that are URI_IS_LOCAL_RESOURCE.  For moz-safe-about (which includes about:blank) you don't have that protocol flag - http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/about/nsAboutProtocolHandler.cpp#192
> I just tested this on a Mac using Firefox 16.0.2 and everything looks fine.

Comment 9 applies to a Mac current trunk buikld.

> For moz-safe-about (which includes about:blank) you don't have that protocol flag

That may well be a bug, then, yes?
Whiteboard: [psm-padlock]
Is this still an issue? I can't reproduce this.
Flags: needinfo?(bugzilla.mozilla)
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.