Last Comment Bug 823174 - Mixed content on https://marketplace-dev.allizom.org/
: Mixed content on https://marketplace-dev.allizom.org/
Status: RESOLVED FIXED
:
Product: Marketplace
Classification: Server Software
Component: Security (show other bugs)
: 1.0
: All All
: -- normal (vote)
: 2013-01-03
Assigned To: Potch [:potch]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-19 11:50 PST by Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
Modified: 2014-03-10 01:18 PDT (History)
7 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
screenshot (126.06 KB, image/png)
2012-12-19 22:47 PST, Wil Clouser [:clouserw]
no flags Details

Description Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-19 11:50:36 PST
STR:

1. Visit https://marketplace-dev.allizom.org/ in the browser or on the phone
2. Notice that the lock icon goes away (switches to globe in desktop browsers, switches to crossed-out lock on Unagi).
Comment 1 Wil Clouser [:clouserw] 2012-12-19 11:51:33 PST
Which browser?  I can't reproduce in nightly on linux.  CCing QA
Comment 2 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-19 13:36:19 PST
(In reply to Wil Clouser [:clouserw] from comment #1)
> Which browser?  I can't reproduce in nightly on linux.  CCing QA

Nightly 2012-12-18 desktop, and a B2G unagi build from about a week ago.
Comment 3 Wil Clouser [:clouserw] 2012-12-19 14:18:07 PST
Krupa: can you reproduce this?  I updated nightly and still can't reproduce.
Comment 4 Potch [:potch] 2012-12-19 14:36:33 PST
I'm seeing the notification about "Connection Partially Encrypted" in Page Info. That said, I don't see any mixed (non https) content in the network logs. Hm.
Comment 5 Masatoshi Kimura [:emk] 2012-12-19 20:05:10 PST
Have you enabled "security.ssl.treat_unsafe_negotiation_as_broken" pref?
Comment 6 Potch [:potch] 2012-12-19 20:39:52 PST
I've never tweaked any ssl settings- they're all stock.
Comment 7 Potch [:potch] 2012-12-19 20:40:18 PST
is this a -dev regression? prod seems fine.
Comment 8 Christopher Van Wiemeersch [:cvan] 2012-12-19 20:45:04 PST
I bet it's from Google Analytics, which landed yesterday on -dev.
Comment 9 Wil Clouser [:clouserw] 2012-12-19 22:16:17 PST
(In reply to Chris Van Wiemeersch [:cvan] from comment #8)
> I bet it's from Google Analytics, which landed yesterday on -dev.

That was my first guess, but I have yet to reproduce it.  If you can, use the dev tools to tell us what request is going out over plain text.
Comment 10 Christopher Van Wiemeersch [:cvan] 2012-12-19 22:34:25 PST
This is reproducible on production: https://marketplace.firefox.com

Here are my findings: http://f.cl.ly/items/3M3V3K0v3m0H0E2G3h04/Screen%20Shot%202012-12-19%20at%2010.32.37%20PM.png

The common name for our prod cert is for our previous hostname: marketplace.mozilla.org.
Comment 11 Wil Clouser [:clouserw] 2012-12-19 22:44:27 PST
Look at the details, marketplace.firefox.com is a SAN so that shouldn't be a problem.

When I go to Page Info for marketplace.firefox.com I see "Owner: Mozilla Foundation" and "Verified by: GeoTrust Inc".  From your screenshot, you see owner not supplied and "Verified by: Not specified."  

You cut off the cert hashes at the bottom, but my serial number is the same.  I don't think I know enough about certs to debug more.  CCing IT and sec.
Comment 12 Wil Clouser [:clouserw] 2012-12-19 22:47:12 PST
Created attachment 694239 [details]
screenshot

This is what I see.  (The third computer I've tried this on)
Comment 13 Potch [:potch] 2012-12-20 08:34:34 PST
I believe the issue is the use off appcache to cache media from a different origin from the primary (the CDN in this case). From the applicationCache spec (http://www.w3.org/TR/2011/WD-html5-20110525/offline.html): 

    If the manifest's <scheme> is https: or another scheme intended for encrypted
    data transfer, then all URLs in explicit sections must have the same origin as
    the manifest itself.

Gross.
Comment 14 Michael Coates [:mcoates] (acct no longer active) 2012-12-20 09:32:00 PST
Saw security folks were copied in. Please ping us via "needsinfo" if we're needed.  Agree that we shouldn't launch with mixed content errors.  I think everyone is in alignment on that here.
Comment 15 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-20 11:25:39 PST
STR:

1. Remove offline cache data for marketplace-dev in Options > Advanced > Network.
2. Reload the page. Lock icon is viible.
3. Allow marketplace-dev to use cache data offline
4. Shift-reload.
5. Mixed content indicator (globe or crossed-out lock) is shown.
Comment 16 Wil Clouser [:clouserw] 2012-12-20 11:27:10 PST
Looks like this is not an SSL thing. Thanks.
Comment 17 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-20 22:49:10 PST
Maybe this is bug 794507? If so, then that means that any SSL site will look like mixed content if it uses AppCache.
Comment 18 Potch [:potch] 2012-12-21 09:42:43 PST
Assuming we want to fix the problem (which I am), the options I can think of are:

1) Allow offline media to be served from marmo directly
2) Modify Gecko to make this permissible
3) No appcache-based offline experience, Keep on Truckin™
Comment 19 Wil Clouser [:clouserw] 2012-12-26 09:48:33 PST
bug 794507 was blocking-basecamp-'d which leaves us on the hook for this I guess which means our only reasonable option is #3?
Comment 20 Wil Clouser [:clouserw] 2012-12-27 14:45:39 PST
Talked on IRC, option #3 it is.  We've been struggling with appcache for weeks and I want to stop sinking out time into it.  When it evolves further we'll look at it again, but in the mean time we're stopping work in that area.
Comment 21 Potch [:potch] 2013-01-07 10:02:33 PST
This should be fixed, as appcache is presently disabled. When bug 826309 is fixed, we may be able to re-enable.

Note You need to log in before you can comment on or make changes to this bug.