Closed Bug 836359 Opened 11 years ago Closed 11 years ago

Treat mixed content requests made by plugins as passive

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: tanvi, Assigned: tanvi)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Categorize TYPE_OBJECT_SUBREQUEST as Mixed Display Content
2.55 KB, patch
smaug
: review+
dveditz
: review+
Details | Diff | Splinter Review 
Until a long term solution for bug 836352 is determined, I propose we treat TYPE_OBJECT_SUBREQUEST as passive content in nsMixedContentBlocker.cpp.

Without this, users will have too many false positives, where plugin requests are actually passive, but Firefox is treating them as active and hence blocking them.  For example, every connection to https youtube will break and require the user to click the shield mixed content icon and click "disable protection".  This would contribute to the security warning fatigue due to too many false positive issues.  This could prompt many users to turn the feature off and hence reduce their protection for all pages.  


I would rather provide a solution that protects users in most cases sooner, than a full proof solution that leaves users vulnerable until all issues are addressed.



+++ This bug was initially created as a clone of Bug #836352 +++

Plugins make requests for resources; these resources are given a content type TYPE_OBJECT_SUBREQUEST.

The Mixed Content Blocker can't tell if these requests are for active content or passive content.  For non-plugin requests, the content type is determined by the context of the request.  Since the browser doesn't know why the plugin is requesting the content, we can't tell if its requesting a script or an image or a video.

Mixed content caused by plugins isn't an issue that will go away (For example, we cannot expect that video files on https pages are all encrypted.  This would slow down the performance of the site and negatively effective user experience, especially for users with low bandwidth connections).

There are a few ways to deal with this.  None of them are ideal and many are not easy:
* Treat all plugin requests as passive content
* Check the file type that is returned (is it .js, is it .swf?) and make a best guess for the content type and active/passive classification.
* Sniff the content that is returned to see what content type it looks like.
* Ask plugin creators to honor the mixed content settings of the browser.  If mixed active content is turned off, do not allow mixed active content requests.
* Ask plugin creators to provide API options that tell the browser whether a request/response is passive or active, and then let the browser decide how to handle the request/response.

I first discovered this issue when testing the Mixed Content Blocker on https://youtube.com.  In the current implementation of nsMixedContentBlocker, the video content is blocked because it is retrieved over http and nsMixedContentBlocker takes the conservative approach by treating all TYPE_OBJECT_SUBREQUEST as active content.

Other suggestion and thoughts are welcome!
Blocks: 836352
One line patch that moves TYPE_OBJECT_SUBREQUEST from mixed active to mixed display content.
Attachment #708238 - Flags: review?(bugs)
Push to try: 
https://tbpl.mozilla.org/?tree=Try&rev=ee3cc0aba5d2
Assignee: nobody → tanvi
Target Milestone: --- → Firefox 21
Product: Firefox → Core
Target Milestone: Firefox 21 → ---
Comment on attachment 708238 [details] [diff] [review]
Categorize TYPE_OBJECT_SUBREQUEST as Mixed Display Content

Someone else from security team should review this change too.
Perhaps dveditz?

I'm not quite happy with this change, but I guess no one is. I don't
have better suggestions though.
Attachment #708238 - Flags: review?(bugs) → review+
Comment on attachment 708238 [details] [diff] [review]
Categorize TYPE_OBJECT_SUBREQUEST as Mixed Display Content

(In reply to Olli Pettay [:smaug] from comment #3)
> Comment on attachment 708238 [details] [diff] [review]
> Categorize TYPE_OBJECT_SUBREQUEST as Mixed Display Content
> 
> Someone else from security team should review this change too.
> Perhaps dveditz?
> 
> I'm not quite happy with this change, but I guess no one is. I don't
> have better suggestions though.

dveditz and I discussed this yesterday.  dveditz, can you do a quick review?  Thanks!
Attachment #708238 - Flags: review?(dveditz)
Comment on attachment 708238 [details] [diff] [review]
Categorize TYPE_OBJECT_SUBREQUEST as Mixed Display Content

Review of attachment 708238 [details] [diff] [review]:
-----------------------------------------------------------------

I am disappoint :-( but I don't see how to avoid bowing to the reality of the current web.

r=dveditz
Attachment #708238 - Flags: review?(dveditz) → review+
Try looks good.  Going to push to inbound.
Pushed: hg.mozilla.org/integration/mozilla-inbound/rev/63df0418ce2b
https://hg.mozilla.org/mozilla-central/rev/63df0418ce2b
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
See Also: → 1244116
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: