Open Bug 843977 (mozorg-mixedcontent) Opened 12 years ago Updated 6 years ago

[tracking] Mixed Active Content on Mozilla Affiliated sites

Categories

(Websites :: Other, defect, P2)

Product:
Websites
Component:
Other
Type:
defect

Tracking

(Not tracked)

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: compat, dogfood)

This is a tracking bug for pages on mozilla.org sites that will break when the mixed content blocker is enabled (bug 834836). Note that this bug blocks bug 815321 (the overall tracking bug for the mixed content blocker), but not bug 834836 (the enabling of the mixed content blocker in Firefox). We expect Firefox 22 to ship with the mixed content blocker enabled, so any pages that aren't fixed before Firefox 22 ships will be (partially) broken in Firefox 22. Note that all of these pages are already partially broken in IE9+ unless the user explicitly chooses to allow non-secure content. In some cases, the pages are also already broken in Chrome. Here is my original notice about this change to Firefox in dev-webdev: https://groups.google.com/d/msg/mozilla.dev.webdev/ACiyFQC6UGo/XxZoDlz06P8J Please read the thread for important information and suggestions for identifying and fixing mixed-content issues. I suggest replying to the dev-webdev thread with questions. Note that we are going to start blocking this kind of content because it (<script src> in particular) is a major security issue for any HTTPS website. In particular, if you load non-HTTPS script, then a MitM can basically "undo" all the protection that SSL gives the page. For example, it is trivial for them to modify the page to steal passwords and non-HttpOnly cookies.
Summary: [tracking] Mixed script content on mozilla.org sites → [tracking] Mixed active content (usually scripts and iframes) on mozilla.org sites
bsternthal: this is a tracking bug that you should discuss with the dev team and maybe we do some hacking on during the offsite.
Depends on: 798611
Component: Other → Project Tracking
Product: Websites → www.mozilla.org
Also mentioned by Stefan elsewhere : https://openbadges.org, https://popcorn.webmaker.org, https:/reps.mozilla.org and https://webfwd.org These are not all mozilla.org sites obviously, but are still Mozilla sites IMO.
Depends on: 865381
Depends on: 865384
(In reply to Ian Melven :imelven from comment #2) > https://openbadges.org, https://popcorn.webmaker.org, > https:/reps.mozilla.org and https://webfwd.org > webfwd.org already has a bug: https://bugzilla.mozilla.org/show_bug.cgi?id=844010 I filed bugs for popcorn.webmaker.org (https://bugzilla.mozilla.org/show_bug.cgi?id=865384) and openbadges.org (https://bugzilla.mozilla.org/show_bug.cgi?id=865381) For reps.mozilla.org, I only see Mixed Passive Content. Stefan/Ian - can you provide the link where Mixed Active Content was found? > These are not all mozilla.org sites obviously, but are still Mozilla sites > IMO. This bug should be to track all Mozilla affiliated sites (whether they are *.mozilla.org or not). I'm changing the subject to refect that.
Summary: [tracking] Mixed active content (usually scripts and iframes) on mozilla.org sites → [tracking] Mixed Active Content on Mozilla Affiliated sites
Depends on: 866997
Priority: -- → P2
Depends on: 871458
Depends on: 871070
Depends on: 791681
Depends on: 865506
Depends on: 875231
Component: Project Tracking → Other
Product: www.mozilla.org → Websites
On this Mozilla Blog Post the demo doesn't show up with Mixed Content Blocker on. https://blog.mozilla.org/blog/2013/02/24/webrtc-ringing-a-mobile-phone-near-you/
Depends on: 888751
No longer depends on: 888751
Alias: mozorg-mixedcontent
Depends on: 888984
Is mozilla-russia.org a site that the Mozilla Foundation/Corporation owns? It includes mixed content from yandex - https://bugzilla.mozilla.org/show_bug.cgi?id=888984
(In reply to Tanvi Vyas [:tanvi] from comment #5) > Is mozilla-russia.org a site that the Mozilla Foundation/Corporation owns? No, but it is the Russian localization and community site.
Depends on: 888472
Depends on: 889579
The mixed content blocker will hit stable users on August 6th when Firefox 23 is released. We really need to get all the dependency bugs fixed by then, or face potential embarrassment. Is there anyone from webdev that can drive all these dependencies and make sure they get resolved in time? Note that most of the dependency bugs contain issues that already exist for users on stable versions of IE and/or Chrome.
Tanvi: I will take ownership of this bug and the blockers.
(In reply to Ben (:bensternthal) from comment #8) > Tanvi: I will take ownership of this bug and the blockers. Thank you so much for helping with this Ben!
Depends on: 863054
Depends on: 892818
Depends on: 893903
Depends on: 896148
No longer depends on: 896148
Depends on: 901906
No longer depends on: 901906
No longer depends on: 888984
Depends on: 902849
Depends on: 928924
Depends on: 958034
Depends on: 966884
Depends on: 1084068
You need to log in before you can comment on or make changes to this bug.