As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 823174 - Mixed content on https://marketplace-dev.allizom.org/
: Mixed content on https://marketplace-dev.allizom.org/
Status: RESOLVED FIXED
:
Product: Marketplace
Classification: Server Software
Component: Security (show other bugs)
: 1.0
: All All
: -- normal (vote)
: 2013-01-03
Assigned To: Potch [:potch]
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-19 11:50 PST by Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
Modified: 2014-03-10 01:18 PDT (History)
7 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
screenshot (126.06 KB, image/png)
2012-12-19 22:47 PST, Wil Clouser [:clouserw]
no flags Details

Description User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-19 11:50:36 PST
STR:

1. Visit https://marketplace-dev.allizom.org/ in the browser or on the phone
2. Notice that the lock icon goes away (switches to globe in desktop browsers, switches to crossed-out lock on Unagi).
Comment 1 User image Wil Clouser [:clouserw] 2012-12-19 11:51:33 PST
Which browser?  I can't reproduce in nightly on linux.  CCing QA
Comment 2 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-19 13:36:19 PST
(In reply to Wil Clouser [:clouserw] from comment #1)
> Which browser?  I can't reproduce in nightly on linux.  CCing QA

Nightly 2012-12-18 desktop, and a B2G unagi build from about a week ago.
Comment 3 User image Wil Clouser [:clouserw] 2012-12-19 14:18:07 PST
Krupa: can you reproduce this?  I updated nightly and still can't reproduce.
Comment 4 User image Potch [:potch] 2012-12-19 14:36:33 PST
I'm seeing the notification about "Connection Partially Encrypted" in Page Info. That said, I don't see any mixed (non https) content in the network logs. Hm.
Comment 5 User image Masatoshi Kimura [:emk] 2012-12-19 20:05:10 PST
Have you enabled "security.ssl.treat_unsafe_negotiation_as_broken" pref?
Comment 6 User image Potch [:potch] 2012-12-19 20:39:52 PST
I've never tweaked any ssl settings- they're all stock.
Comment 7 User image Potch [:potch] 2012-12-19 20:40:18 PST
is this a -dev regression? prod seems fine.
Comment 8 User image Christopher Van Wiemeersch [:cvan] 2012-12-19 20:45:04 PST
I bet it's from Google Analytics, which landed yesterday on -dev.
Comment 9 User image Wil Clouser [:clouserw] 2012-12-19 22:16:17 PST
(In reply to Chris Van Wiemeersch [:cvan] from comment #8)
> I bet it's from Google Analytics, which landed yesterday on -dev.

That was my first guess, but I have yet to reproduce it.  If you can, use the dev tools to tell us what request is going out over plain text.
Comment 10 User image Christopher Van Wiemeersch [:cvan] 2012-12-19 22:34:25 PST
This is reproducible on production: https://marketplace.firefox.com

Here are my findings: http://f.cl.ly/items/3M3V3K0v3m0H0E2G3h04/Screen%20Shot%202012-12-19%20at%2010.32.37%20PM.png

The common name for our prod cert is for our previous hostname: marketplace.mozilla.org.
Comment 11 User image Wil Clouser [:clouserw] 2012-12-19 22:44:27 PST
Look at the details, marketplace.firefox.com is a SAN so that shouldn't be a problem.

When I go to Page Info for marketplace.firefox.com I see "Owner: Mozilla Foundation" and "Verified by: GeoTrust Inc".  From your screenshot, you see owner not supplied and "Verified by: Not specified."  

You cut off the cert hashes at the bottom, but my serial number is the same.  I don't think I know enough about certs to debug more.  CCing IT and sec.
Comment 12 User image Wil Clouser [:clouserw] 2012-12-19 22:47:12 PST
Created attachment 694239 [details]
screenshot

This is what I see.  (The third computer I've tried this on)
Comment 13 User image Potch [:potch] 2012-12-20 08:34:34 PST
I believe the issue is the use off appcache to cache media from a different origin from the primary (the CDN in this case). From the applicationCache spec (http://www.w3.org/TR/2011/WD-html5-20110525/offline.html): 

    If the manifest's <scheme> is https: or another scheme intended for encrypted
    data transfer, then all URLs in explicit sections must have the same origin as
    the manifest itself.

Gross.
Comment 14 User image Michael Coates [:mcoates] (acct no longer active) 2012-12-20 09:32:00 PST
Saw security folks were copied in. Please ping us via "needsinfo" if we're needed.  Agree that we shouldn't launch with mixed content errors.  I think everyone is in alignment on that here.
Comment 15 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-20 11:25:39 PST
STR:

1. Remove offline cache data for marketplace-dev in Options > Advanced > Network.
2. Reload the page. Lock icon is viible.
3. Allow marketplace-dev to use cache data offline
4. Shift-reload.
5. Mixed content indicator (globe or crossed-out lock) is shown.
Comment 16 User image Wil Clouser [:clouserw] 2012-12-20 11:27:10 PST
Looks like this is not an SSL thing. Thanks.
Comment 17 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-12-20 22:49:10 PST
Maybe this is bug 794507? If so, then that means that any SSL site will look like mixed content if it uses AppCache.
Comment 18 User image Potch [:potch] 2012-12-21 09:42:43 PST
Assuming we want to fix the problem (which I am), the options I can think of are:

1) Allow offline media to be served from marmo directly
2) Modify Gecko to make this permissible
3) No appcache-based offline experience, Keep on Truckin™
Comment 19 User image Wil Clouser [:clouserw] 2012-12-26 09:48:33 PST
bug 794507 was blocking-basecamp-'d which leaves us on the hook for this I guess which means our only reasonable option is #3?
Comment 20 User image Wil Clouser [:clouserw] 2012-12-27 14:45:39 PST
Talked on IRC, option #3 it is.  We've been struggling with appcache for weeks and I want to stop sinking out time into it.  When it evolves further we'll look at it again, but in the mean time we're stopping work in that area.
Comment 21 User image Potch [:potch] 2013-01-07 10:02:33 PST
This should be fixed, as appcache is presently disabled. When bug 826309 is fixed, we may be able to re-enable.

Note You need to log in before you can comment on or make changes to this bug.