Closed Bug 823174 Opened 11 years ago Closed 11 years ago


(Marketplace Graveyard :: Security, defect)

Not set


(Not tracked)



(Reporter: briansmith, Assigned: potch)



(1 file)


1. Visit in the browser or on the phone
2. Notice that the lock icon goes away (switches to globe in desktop browsers, switches to crossed-out lock on Unagi).
Flags: mkt-blocker?
Which browser?  I can't reproduce in nightly on linux.  CCing QA
(In reply to Wil Clouser [:clouserw] from comment #1)
> Which browser?  I can't reproduce in nightly on linux.  CCing QA

Nightly 2012-12-18 desktop, and a B2G unagi build from about a week ago.
Krupa: can you reproduce this?  I updated nightly and still can't reproduce.
I'm seeing the notification about "Connection Partially Encrypted" in Page Info. That said, I don't see any mixed (non https) content in the network logs. Hm.
Have you enabled "security.ssl.treat_unsafe_negotiation_as_broken" pref?
I've never tweaked any ssl settings- they're all stock.
is this a -dev regression? prod seems fine.
I bet it's from Google Analytics, which landed yesterday on -dev.
(In reply to Chris Van Wiemeersch [:cvan] from comment #8)
> I bet it's from Google Analytics, which landed yesterday on -dev.

That was my first guess, but I have yet to reproduce it.  If you can, use the dev tools to tell us what request is going out over plain text.
This is reproducible on production:

Here are my findings:

The common name for our prod cert is for our previous hostname:
Look at the details, is a SAN so that shouldn't be a problem.

When I go to Page Info for I see "Owner: Mozilla Foundation" and "Verified by: GeoTrust Inc".  From your screenshot, you see owner not supplied and "Verified by: Not specified."  

You cut off the cert hashes at the bottom, but my serial number is the same.  I don't think I know enough about certs to debug more.  CCing IT and sec.
Attached image screenshot
This is what I see.  (The third computer I've tried this on)
I believe the issue is the use off appcache to cache media from a different origin from the primary (the CDN in this case). From the applicationCache spec ( 

    If the manifest's <scheme> is https: or another scheme intended for encrypted
    data transfer, then all URLs in explicit sections must have the same origin as
    the manifest itself.

Saw security folks were copied in. Please ping us via "needsinfo" if we're needed.  Agree that we shouldn't launch with mixed content errors.  I think everyone is in alignment on that here.

1. Remove offline cache data for marketplace-dev in Options > Advanced > Network.
2. Reload the page. Lock icon is viible.
3. Allow marketplace-dev to use cache data offline
4. Shift-reload.
5. Mixed content indicator (globe or crossed-out lock) is shown.
Looks like this is not an SSL thing. Thanks.
Maybe this is bug 794507? If so, then that means that any SSL site will look like mixed content if it uses AppCache.
Assuming we want to fix the problem (which I am), the options I can think of are:

1) Allow offline media to be served from marmo directly
2) Modify Gecko to make this permissible
3) No appcache-based offline experience, Keep on Truckin™
bug 794507 was blocking-basecamp-'d which leaves us on the hook for this I guess which means our only reasonable option is #3?
Talked on IRC, option #3 it is.  We've been struggling with appcache for weeks and I want to stop sinking out time into it.  When it evolves further we'll look at it again, but in the mean time we're stopping work in that area.
Assignee: nobody → thepotch
Target Milestone: --- → 2013-01-03
This should be fixed, as appcache is presently disabled. When bug 826309 is fixed, we may be able to re-enable.
Closed: 11 years ago
Resolution: --- → FIXED
Flags: mkt-blocker?
You need to log in before you can comment on or make changes to this bug.