Open Bug 834821 Opened 11 years ago Updated 2 years ago

Unable to allow mixed content if Navigation Toolbar (or Location Bar) has been removed (e.g. in a locked-down kiosk type of situation)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: tanvi, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

The same issue with the CTP doorhanger will exist with the Mixed Content Doorhanger.

+++ This bug was initially created as a clone of Bug #831365 +++

STR:
 1. Ensure you have Flash installed. (just as a demo plugin)
 2. In about:config, set "plugins.click_to_play" to true.
     (This is to simulate us pushing out a CTP block of a particular plugin.)
 3. Visit http://homestarrunner.com/
      --> Notice that location bar has a Plugin icon, w/ possibility to
          always activate plugins for this site.
 4. Go to View | Toolbars, and uncheck "Navigation Toolbar". Ctrl+R to reload. (optional)

EXPECTED RESULTS: There should still be some way to whitelist the site.
ACTUAL RESULTS: There's no way to whitelist the site.
The STR are from the other bug, real STR replace steps 1-3 with 
  * visit https://people.mozilla.com/~bsterne/tests/62178/test.html
then step 4. Same expected and actual results.

I'm not sure is this is really valid though. We hook lots of things to doorhangers. Heck, the back and reload buttons will be missing for people who don't know about the magic key shortcuts, which is most actual people.

If you're really in some sort of kiosk mode the creator of the kiosk mode must decide what the default behavior is for all these kinds of cases, and set prefs accordingly to either always allow or always block. If it's just a user trying to get screen real estate we should educate them to use Full-screen mode instead, in which case the location bar comes back when you need it by mousing near the top.
URL: https://people.mozilla.com/~bsterne/t...
My blathering obscured my point: I recommend WONTFIX on this one.
Such kiosks are usually designed to remove the address bar for two reasons:

1) They use framing to spoof the address bar so they can decide how sites are presented to users, which is something we don't want to support.

2) They are trying to restrict the user to a certain subset of sites, usually for security or policy reaons. There is a very simple workaround: fix all instances of mixed active content on those websites.

I also recommend WONTFIX.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.