Closed Bug 843978 Opened 12 years ago Closed 11 years ago

Mixed active content on hacks.mozilla.org

Categories

(Developer Engagement :: Mozilla Hacks, task)

Product:
Developer Engagement
Component:
Mozilla Hacks
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: briansmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: compat, dogfood, sec-low)

Attachments

(1 file, 1 obsolete file)

posts and pages with ' src="http:// ' in them
32.84 KB, text/plain
Details
+++ This bug was initially created as a clone of Bug #843977 +++ See https://hacks.mozilla.org/2012/11/hacking-firefox-os/. Mixed content loads: [23:10:40.712] GET http://www.youtube.com/embed/6bbo147yLKQ [HTTP/1.1 200 OK 101ms] See http://apiblog.youtube.com/2011/02/https-support-for-youtube-embeds.html for how to fix this.
I went back over the ~50 most recent articles on hacks.mozilla.org looking for pages that will break once we turn on the Firefox mixed content blocker for Firefox 22. It would be great if we could update as many of these articles as possible so that they stop using http:// scripts, iframes, and CSS loads so they do not break when we enable the mixed content blocker feature. See https://groups.google.com/d/msg/mozilla.dev.webdev/ACiyFQC6UGo/XxZoDlz06P8J for more background information. (Most of these pages are already broken by default in Internet Explorer 9+.) The good news: Most of the issues below can EASILY be fixed by replacing the "http" in the offending link with "https://". Bad news #1: I am not sure how we can automate these changes. We may have to manually modify the pages. Bad news #2: jsbin and linklib do not seem to support HTTPS at all, so I don't know of any way to fix those pages yet. If we have contacts at those websites, it would be great to get their contact info (email me: bsmith@mozilla.com) so I can advocate for them to add HTTPS support. https://hacks.mozilla.org/articles/ <iframe src="http://www.mozilla.com/en-US/newsletter/hacks.mozilla.org/" https://hacks.mozilla.org/2013/02/using-webapis-to-make-the-web-layer-more-capable/ http://www.slideshare.net/slideshow/embed_code/16056246 https://hacks.mozilla.org/2013/02/wercker-continuous-delivery-made-easy-a-webfwd-project/ http://player.vimeo.com/video/53756616?byline=0&amp;portrait=0 https://hacks.mozilla.org/2013/01/power-polygon-html5-slides-with-theming-and-much-more/ http://www.youtube.com/embed/oZIvKOCDvus?rel=0" https://hacks.mozilla.org/2013/01/writing-web-apps-quickly-with-mortar/ http://www.youtube.com/embed/nsvAwXBUll8 https://hacks.mozilla.org/2013/01/firefox-development-highlights-h-264-mp3-support-on-windows-scoped-stylesheets-more/ http://jsbin.com/* http://static.jsbin.com/* https://hacks.mozilla.org/2013/01/join-us-for-firefox-os-app-days/ http://www.youtube.com/embed/aWIDQNbxV7E https://hacks.mozilla.org/2012/12/firefox-development-highlights-per-window-private-browsing-canvas-globalcompositeoperation-new-values/ http://jsbin.com/* http://static.jsbin.com/* https://hacks.mozilla.org/2012/12/linklib-lets-film-lovers-and-filmmakers-send-time-synced-links-from-videos-to-phones/ http://www.linklib.org/* https://hacks.mozilla.org/2012/12/firefox-os-simulator-1-0-is-here/ http://www.youtube.com/embed/g6oLUmc2iOQ https://hacks.mozilla.org/2012/12/firefox-development-highlights-video-playbackrate-download-attribute/ http://jsbin.com/* http://static.jsbin.com/* https://hacks.mozilla.org/2012/11/codebender-physical-programming-on-the-web-a-webfwd-project/ http://player.vimeo.com/video/54210291?badge=0 https://hacks.mozilla.org/2012/12/firefox-development-highlights-video-playbackrate-download-attribute/ http://jsbin.com/* http://static.jsbin.com/* https://hacks.mozilla.org/2012/11/dev-resources-to-hack-the-future-web-mozilla-ignite/ http://www.screenr.com/embed/ERj8 https://hacks.mozilla.org/2012/11/firefox-os-video-presentations-and-slides-on-the-os-webapis-hacking-and-writing-apps/ http://www.youtube.com/embed/GZsU2ZIfwa0 http://www.youtube.com/embed/LjAy7Z-fq1k http://www.youtube.com/embed/yMiCkBeg5Eo http://www.youtube.com/embed/hbCldh6qFG4 http://www.youtube.com/embed/umlAXczmSSQ https://hacks.mozilla.org/2012/11/html5-mythbusting/ http://www.youtube.com/embed/se-oorr2zM8 http://www.youtube.com/embed/Znj_8IFeTVs https://hacks.mozilla.org/2012/10/leave-no-one-behind-with-html5-presentation-at-ffwd-pro-in-zagreb-croatia/ http://www.slideshare.net/slideshow/embed_code/13277859 https://hacks.mozilla.org/2012/10/broken-promises-of-html5-and-whats-next-a-presentation-at-html5devconf/ http://www.youtube.com/embed/r7xnKSPWTjo https://hacks.mozilla.org/2012/10/accessibility-features-in-firefox-on-android/ http://www.youtube.com/embed/8shtz3PS7-E https://hacks.mozilla.org/2012/10/creating-the-future-of-mobile-with-firefox-os/ http://www.youtube.com/embed/5MzuGWFIfio?rel=0 http://www.youtube.com/embed/rk1oTO6cYH0?rel=0 Note that this is not a comprehensive list. There are too many articles for me to comb through. Again, please email me if you would like some hints about how to resolve these issues. (Again, in most cases you can just search/replace "http://" with "https://" in your page.)
Hi Brian, thanks for the heads-up. I guess it could be done manually, but naturally that's not the process that's desired.
I added Chris More and Craig Cook to this bug, thinking that by far, the easiest way would be to have an automated script go through the database of posts and do the needed changes. For JS Bin, best way forward is probably to file a bug: https://github.com/remy/jsbin/issues/new One more question: Why does Hacks need to be https:// in the first place?
There was already an issue in the jsbin issue tracker for supporting HTTPS. I left a comment on it at https://github.com/remy/jsbin/issues/322. It may actually be better for security if we just hosted jsbin on our own servers. It is open source and expressly designed to be easy to host. Do you have any idea about who at Mozilla I could talk to about doing that? > Why does Hacks need to be https:// in the first place? Good question. I think that mozilla.org is, in general, moving to HSTS (all HTTPS, all the time) as much as possible.
> There was already an issue in the jsbin issue tracker for supporting HTTPS. > I left a comment on it at https://github.com/remy/jsbin/issues/322. > > It may actually be better for security if we just hosted jsbin on our own > servers. It is open source and expressly designed to be easy to host. Do you > have any idea about who at Mozilla I could talk to about doing that? Maybe Chris or Craig. I wonder if we have that many JS Bin examples, though. Maybe port the examples to jsFiddle instead would be easier. > > Why does Hacks need to be https:// in the first place? > > Good question. I think that mozilla.org is, in general, moving to HSTS (all > HTTPS, all the time) as much as possible. Ok. I'm all for security, but just trying to see the benefits here.
Jakem: how difficult would it be to run a SQL script on the database to do some substring replacements to switch from http to https on embedded content that supports that?
Running SQL on the prod DB to change text scares me... worse than poltergeist. If Jake is OK with it than by all means proceed...make sure we can test it first and have a rollback (back up the DB right before). Outside of that I would suggest running a query to find HTTP embed codes in the content field to figure out the scope of work.
I am hoping to turn on the pref to block mixed content soon (bug 834836). The blocker bugs to turn the pref on are close to complete. I have turned on mixed content blocker (set security.mixed_content.block_active_content to true) for a few weeks now. A few other mozillians have turned it on locally as well. We find that the only pages we see the mixed content doorhanger appear are actually mozilla pages, which is unfortunate. I understand that doing a substring replacement on the database is scary, and could break something. Before doing that, perhaps we could first run a query to see how many database entries are effected? If there aren't too many, then maybe the change from http:// to https:// can be done semi-manually?
Component: hacks.mozilla.org → Mozilla Hacks
Product: Websites → Mozilla Developer Network
(In reply to Chris More [:cmore] from comment #6) > Jakem: how difficult would it be to run a SQL script on the database to do > some substring replacements to switch from http to https on embedded content > that supports that? Easy to run, the hard part will be building the SQL script. :) It might be simple enough to SELECT through the content and find the offending bits. From that it might be feasible to modify them by hand. Honestly, it's hard to be sure until we have a handle on how many changes we're talking about. I like Tanvi's idea... let's see if we can come up with a raw count, and then worry about where to go from there. I will make an attachment shortly.
379 affected posts and pages, including stuff as recent as the April 8 and as old as May 2009. The only "page" affected is the about page. Hopefully easy to fix that. I suggest fixing the most recent "posts" that are affected, but it's debatable how worthwhile it is to fix *all* of them. I don't think an automated fix is going to prove fruitful here.
> Created attachment 737077 [details] > posts and pages with ' src="http:// ' in them > > 379 affected posts and pages, including stuff as recent as the April 8 and > as old as May 2009. Thanks Jake. > The only "page" affected is the about page. Hopefully easy to fix that. Fixed. > I suggest fixing the most recent "posts" that are affected, but it's > debatable how worthwhile it is to fix *all* of them. Agreed. Currently travling and on poor hotel WiFi. I'll look into it next week when I'm back, to assess how much work it is.
I have now manually gone through all posts in 2012 and 2013. I've also gone through the visitor statistics for this year and made sure to fix this in the top 150 posts, no matter how old they were. This should cover most of the posts, and definitely a vast majority of the ones being visited. Learnings: - JSFiddle doesn't support https. I've spoken to Piotr about this, and they are looking into it. - The script doesn't exclude code examples, i.e. samples wrapped in <pre> elements Can you please run the script again, to see if I missed anything? (older posts - that aren't that popular - will have http references left, not worth the extra effort)
Flags: needinfo?(nmaul)
Keywords: sec-low
Here's an updated list. Down from 379 to 222! Very nice work. :) There's a few things in 2013 and 2012 still, but the vast majority are 2011 and earlier.
Attachment #737077 - Attachment is obsolete: true
Flags: needinfo?(nmaul)
Thanks, it was really fun. ;-) I went through the things in 2013, and as mentioned above, it's mostly about code samples wrapped in <pre> blocks, so that's valid use of http and not https. Additionally, I think there were a few images from services that only offer http, but at least for now, Firefox won't be blocking images from what I've seen.
Version: Trunk → unspecified
Is this bug complete? Is there a plan to go through the stuff prior 2012, or are we happy with this?
(In reply to Tanvi Vyas [:tanvi] from comment #15) > Is this bug complete? Is there a plan to go through the stuff prior 2012, > or are we happy with this? I'd say we're good for now. The effort and time it takes vs. the small gain isn't worth it. I'd close it for now, and take it up later, if deemed needed.
(In reply to Robert Nyman from comment #16) > (In reply to Tanvi Vyas [:tanvi] from comment #15) > > Is this bug complete? Is there a plan to go through the stuff prior 2012, > > or are we happy with this? > > I'd say we're good for now. The effort and time it takes vs. the small gain > isn't worth it. I'd close it for now, and take it up later, if deemed needed. Okay, sounds good to me.
Closing as per comment 16.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Product: Mozilla Developer Network → Developer Engagement
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: