Closed Bug 844556 Opened 11 years ago Closed 3 years ago

[meta][tracking] compatibility issues with mixed content blocker on non-Mozilla websites

Categories

(Web Compatibility :: Site Reports, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED INACTIVE

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: meta, site-compat)

Attachments

(2 files, 1 obsolete file)

+++ This bug was initially created as a clone of Bug #844555 +++

This bug tracks issues with *non-Mozilla* sites that have their functionality broken by the mixed content blocker until the user chooses "disable protection for this page" in the mixed content blocker, or where the page is broken and the "disable protection for this page" button does not fix the problem.

Bug 843977 is about mixed content issues on *.mozilla.org. That is separated from this bug because I expect us to be able to fix our own websites, and because we must fix our own websites so they work with IE, Chrome and other browsers too. Please file your bugs for Mozilla websites blocking bug 843977, not blocking this bug.

I expect a combination of bug fixes (making mixed content blocker smarter), evangelism (convincing websites to fix their mixed content security issues), and selectively-applied apathy (letting the website break) will be necessary to resolve these issues.
Depends on: 861753
Depends on: 862750
Depends on: 863517
Depends on: 864139
Depends on: 864787
Depends on: 866986
Keywords: site-compat
This list was compiled after running m-c through top 1000 domains, with blocking of both active and display content enabled.

Note that some domains are represented twice, both with or without "www" token.
(In reply to Matt Wobensmith from comment #1)
> Created attachment 746148 [details]
> This list was compiled after running m-c through top 1000 domains, with
> blocking of both active and display content enabled.

This is great work!

However, I think it is a little misleading as far as the user impact goes. For example, http://imgur.com/ might be a top-1000 site but https://imgur.com/ might never be used, even though it happens to kind of have "worked" in older versions of Firefox. And, in fact, https://imgur.com/ is "broken" consistently (AFAICT) between MSIE, Firefox, and Chrome. IMO, that consistency indicates that we are doing the right thing (and that previously we were doing the wrong thing).

I think the next step would be to go through the 103 URLs in the list in Google Chrome and see which ones render/behave differently between Chrome and Firefox. I picked Chrome specifically because our mixed content blocker is more strict than Chrome's blocker, so our blocker should break more pages than Chrome's blocker does. I picked 10 of the 103 URLs and found Chrome was very clearly also broken in 8 of them (https://www.sergey-mavrodi.com and https://pogo.com were not obviously broken in Chrome, but neither were they clearly broken in Firefox either, despite triggering the blocker icon in both).

Anyway, again, awesome work!
https://nytimes.com seems to have no css when mixed content is blocked.
(In reply to ben turner [:bent] from comment #3)
> https://nytimes.com seems to have no css when mixed content is blocked.

Thanks. That's already being tracked in bug 862164, though the main reason it is problematic is actually bug 769994.
Omnigroup blog can't load embedded Vimeo videos:

https://www.omnigroup.com/blog/entry/omnipresence-document-syncing-ships-this-week

[11:43:38.162] GET http://player.vimeo.com/video/66598535 [Mixed Content] [HTTP/1.1 200 OK 273ms]

If you load the http:// version of the Omnigroup blog or "Disable Protection on This Page", then the video loads as expected.
This site is broken:
https://www.domaintechnik.at/
FYI, if any site is serving their images from Amazon Cloudfront using a custom CNAME that maps the Cloudfront domain to their own domain, they can't be served as https (Cloudfront doesn't allow you to install an SSL cert).

So that might be a reason for a lot of breakage.

See: https://forums.aws.amazon.com/thread.jspa?threadID=87319
This website is broken:
https://www.aeriagames.com/

I've already tested it using Firefox in safe mode, but it still doesn't show its CSS unless I stop blocking the mixed content.
In the google reader bug (Bug 844555), a user has reported an issue with another feed reader:

> This problem is not specific to Google Reader, I noticed this with another
> feed reader https://www.newsblur.com/site/903/i-can-has-cheezburger

Noting it here so that we remember to follow-up and file a bug.
Part of Youtube is broken. When going to edit a video from your video manager it blocks the video. Below are two pictures one being without the video with mixed content blocker on, and the other with the video and with mixed content blocker disabled on the website.

Without Video: http://flickr.com/gp/96676561@N06/84js6r

With Video: http://flickr.com/gp/96676561@N06/71Q7sU
The attachment here contains domains that were taken from Alexa's top 1000. Using Alexa's list, we ran a test to determine how many of those sites could be determined to be broken under new mixed content rules.

Of the 77 sites we found broken:
    •    60 sites ALL 3 browsers are blocking
    •    12 sites Not blocked on just Chrome (IE and Firefox block)
    •    3 sites not blocked on IE (Chrome and Firefox block)
    •    2 sites not blocked on IE or Chrome (only Firefox blocks)

We are continuing to drill down on affected sites and will be filing bugs on each one of them separately.
No longer blocks: 877406
Depends on: 877406
Depends on: 878121
https://www.real.com/ doesn't load properly.
The Youtube video walkthrough on this page doesn't appear with mixed content blocker on.https://support.us.playstation.com/app/answers/detail/a_id/1488/kw/safe%20mode
Adding spreadsheet of sites from Alexa top 1000 that have broken, as per Tanvi.
(In reply to Matt Wobensmith from comment #14)
> Created attachment 758260 [details]
> Spreadsheet of top broken sites, with additional data
> 
> Adding spreadsheet of sites from Alexa top 1000 that have broken, as per
> Tanvi.

The spreadsheet shows the breakdown for the:
* 12 sites Not blocked on just Chrome (IE and Firefox block)
* 3 sites not blocked on IE (Chrome and Firefox block)
* 2 sites not blocked on IE or Chrome (only Firefox blocks)


We also included and filed bugs for www.dell.com, espn.go.com, www.samsung.com, even though all 3 browser blocked them.
Updated the spreadsheet a bit.
Attachment #758260 - Attachment is obsolete: true
Depends on: 880885
This webpage doesn't work with Mixed Content Blocker on.
https://www.apple.com/apple-events/june-2013/
Depends on: 881786
I'm going to start adding some whiteboard flags to the dependent bugs as we file them.

* [mcb-no-contact] - we don't have an email address for the third party
* [mcb-thirdparty-notified] - we emailed the third party
* [mcb-chrome] - chrome's mcb blocked the content too
* [mcb-chrome-29+] - chromes new version of mcb in chrome canary/29 will block the content too
* [mcb-ie] - IE blocks the content too
* [mcb-frame-descendants] - this occurs when the parent page is HTTP and the Mixed Content Blocker is still invoked because of an HTTPS iframe (frame descendants rule)
* [mcb-ie?] - We aren't sure if IE blocks the content
* [mcb-chrome?] - we aren't sure if Chrome blocks the content
One more whiteboard flag...
[mcb-ads-only]
Mixed Content Blocker blocks the download button on Adobe downloads on https://www.adobe.com/
Depends on: 883692
Depends on: 884197
http://www.apple.com/itunes/download/

(And I would suspect other apple.com product downloads.)

There is no notification at all in FF 24.
(Not really familiar with FF, so don't know if there should be.)

SeaMonkey 20 does give you a notification that something may be amiss.

Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0 SeaMonkey/2.20a2
Build identifier: 20130619013001

Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20130619 Firefox/24.0
What I just posted may be covered by:
Bug 864787 - iTunes (Apple) download won't start with FireFox Nightly build

Ah, I now see that is already listed as a Depends.

Sorry about that.
Hi Brandon, re: comment 20: 

I don't see any content blocked on https://www.adobe.com, nor do I see the mixed content UI. Can you be more precise as to which content/URLs might be blocked on that page? Thank you very much.
Never mind - I found one page on Adobe's site that shows the problem: https://get.adobe.com/flashplayer/

I'll get a bug filed and contact them. Thank you!
https://www.lexisnexis.com/en-us/home.page

Upper right of the page, there should be a search box that fails to display.
Depends on: 886592
(In reply to therube from comment #25)
> https://www.lexisnexis.com/en-us/home.page
> 
> Upper right of the page, there should be a search box that fails to display.

Filed bug 886592.  This is because of Mixed Content javascript and css, so should be an issue on all 3 browsers (Chrome, Firefox, and IE).
Depends on: 887430
Depends on: 888428
Blocks: 888790
No longer blocks: 888790
Depends on: 888790
Depends on: 889010
Depends on: 889035
Depends on: 889170
QA Contact: mihai.morar
This webpage doesn't load the feedback form. On the bottom there should be a box for feedback and a drop down menu that lets you choose the topic of your feedback. With Mixed Content Blocker on it blocks the feedback form.

https://us.playstation.com//community/feedback/
Depends on: 890898
(In reply to Brandon Park from comment #27)
> This webpage doesn't load the feedback form. On the bottom there should be a
> box for feedback and a drop down menu that lets you choose the topic of your
> feedback. With Mixed Content Blocker on it blocks the feedback form.
> 
> https://us.playstation.com//community/feedback/

Covered in bug 879081.
Depends on: 892770
Depends on: 892810
Depends on: 892976
Depends on: 863054
https://www.ea.com/ doesn't load properly.
Depends on: 893428
https://youtube.com videos (example:https://www.youtube.com/watch?v=Vz3pdjd8So8) + THIS BOOKMARKLET:

javascript:%20/*___Dirpy_Studio_Bookmarklet___*/(function(){var%20b=document.getElementsByTagName("head")[0];var%20c=new%20Date().getTime();var%20a=document.createElement("script");a.src="http://dirpy.com/js/studio-bookmarklet.js?"+c;a.onload=a.onreadystatechange=function(){if(!loaded&&(!this.readyState||this.readyState=="loaded"||this.readyState=="complete")){a.onload=a.onreadystatechange=null;b.removeChild(a)}};b.appendChild(a)})();

It gives me a content blocker message, when I click on allow on page, it refreshes and still blocks the bookmarklet
Firefox 24 Aurora
Depends on: 895574
(In reply to Brandon Park from comment #29)
> https://www.ea.com/ doesn't load properly.
Filed Bug 895574.
(In reply to numerelle from comment #30)
> It gives me a content blocker message, when I click on allow on page, it
> refreshes and still blocks the bookmarklet
> Firefox 24 Aurora

Issues with Mixed Content Blocker and bookmarklets are covered in bug https://bugzilla.mozilla.org/show_bug.cgi?id=886663.
Depends on: 895576
(In reply to Tanvi Vyas [:tanvi] from comment #31)
> Mixed Active Content on https://www.kaskus.co.id/ - 

Filed bug 895576.
(In reply to raymond [:retornam] from comment #35)
> Mixed active content on https://mozilla.kanbanery.com/projects/33256/board/
> Blocked loading mixed active content
> "http://www.googleadservices.com/pagead/conversion.js" @
> https://mozilla.kanbanery.com/projects/33256/board/

Looks like I need a login to access this.  Is this a mozilla website?  Or an external website?
(In reply to Tanvi Vyas [:tanvi] from comment #36)
> (In reply to raymond [:retornam] from comment #35)
> > Mixed active content on https://mozilla.kanbanery.com/projects/33256/board/
> > Blocked loading mixed active content
> > "http://www.googleadservices.com/pagead/conversion.js" @
> > https://mozilla.kanbanery.com/projects/33256/board/
> 
> Looks like I need a login to access this.  Is this a mozilla website?  Or an
> external website?

This is an external website used by the Web Production team. I've emailed Mike Alexis(cc'ed you) to create an account for you.
Cannot enter credit card info on https://www.lensal.com/odeme.aspx (A Turkish contact lens shopping site). "disable protection for this page" doesn't help, making it impossible to complete the order.
https://opendesktop.org/ seems to be broken in nightly 25.0a1.
Gizmo's freeware site/forum is broken by the mixed-content blocker. It fails to display, shows the shield mentioned in the article, and then displays correctly when the mixed-content blocker is disabled for the site.

https://www.techsupportalert.com/

Sorry if this has been reported already, I did a quick search but couldn't see it anywhere.
(In reply to Selim Sumlu from comment #38)
> Cannot enter credit card info on https://www.lensal.com/odeme.aspx (A
> Turkish contact lens shopping site). "disable protection for this page"
> doesn't help, making it impossible to complete the order.

This is difficult to test without a login (and without a familiarity with Turkish).  Can you tell us what content is blocked (Open the Developer Tools -> Webconsole and copy the contents from the "Security" pane)?

On the non-credit card pages, I see that jquery is blocked:
Blocked loading mixed active content "http://code.jquery.com/jquery.min.js" @ https://www.lensal.com/uye-giris?gelen=sp

Perhaps you could also help us out by contacting the site and letting them know about this issue (perhaps there is contact information somewhere on the site)?

Thanks for your help and for reporting this issue!
(In reply to Tanvi Vyas [:tanvi] from comment #41)
> (In reply to Selim Sumlu from comment #38)
> > Cannot enter credit card info on https://www.lensal.com/odeme.aspx (A
> > Turkish contact lens shopping site). "disable protection for this page"
> > doesn't help, making it impossible to complete the order.
> 
> This is difficult to test without a login (and without a familiarity with
> Turkish).  Can you tell us what content is blocked (Open the Developer Tools
> -> Webconsole and copy the contents from the "Security" pane)?
> 
> On the non-credit card pages, I see that jquery is blocked:
> Blocked loading mixed active content "http://code.jquery.com/jquery.min.js"
> @ https://www.lensal.com/uye-giris?gelen=sp
> 
> Perhaps you could also help us out by contacting the site and letting them
> know about this issue (perhaps there is contact information somewhere on the
> site)?
> 
> Thanks for your help and for reporting this issue!

Looks like it's only jQuery. You may ha ve a look at http://img543.imageshack.us/img543/9889/2rq3.jpg .

Is there any tutorial kind of page that may help them solve this?
Depends on: 897064
(In reply to Selim Sumlu from comment #42)
> Is there any tutorial kind of page that may help them solve this?

Yes!  You can send them https://developer.mozilla.org/en-US/docs/Security/MixedContent/fix_website_with_mixed_content.  In this case the blocked code is http://code.jquery.com/jquery.min.js, but jquery doesn't provide an https version (Going to https://code.jquery.com/jquery.min.js gives you a cert error).  They can copy the jquery code and host it themselves though.

You can also reference even more info on Mixed Content if they want further reading:
https://developer.mozilla.org/en-US/docs/Security/MixedContent
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

Thank you very much for your help Selim!
Depends on: 897754
Depends on: 898111
Depends on: 898391
Depends on: 898399
https://s5.parature.com/

After I log in, this site uses an iframe to display custom content from a server on my office intranet. (The problem isn't with Parature; it's our IT department's choice not to use https for an intranet site).

Aurora blocks this. It works temporarily if I override it, but Aurora doesn't retain that setting.

(Chrome 28.0.1500.72 m does not block the iframe, but MSIE 9 does.)
Depends on: 898938
No longer depends on: 898391
Depends on: 899140
Depends on: 900440
Depends on: 900449
Depends on: 900458
No longer depends on: 900680
No longer depends on: 900766
Actually in a blog (https://korben.info) accessed in HTTPS Vimeo player is not loading, MCB is blocking it.
I use the latest FF23's bêta and up to date HTTPS Everywehere which doesn't correct the Vimeo's address given their rule is "default off". But a video shouldn't enter in the case "passive mixed content" and so should be allowed and don't be blocked. Given the player use the flash a plugin it may be considered as "active", isn't this one of the edgy case ?
I think this shall be corrected because it would surely cause a "security warning fatigue" if it's deployed in release channel.
I hope it will help and I excuse by advance if I didn't post in the right place because that's my first contribution to Bugzilla.
The website for https://na5.salesforce.com is broken. The parent domain is salesforce.com, which is a CRM product we use in our call center. This has an integrated telephony suite provided by Five9.com  In order for the Five9 softphone CTI adapter to work with Salesforce, it must allow a popup from http://localhost:11000/?sfdcFrameOrigin=https%3A%2F%2Fna5.salesforce.com&sid=00D700000008LF7!AQYAQDX.iZSCnwqrhxU3uAU9NNAfMHuAzkFLDPwJAhah5G.7QGoOGd9wAdJwKHNXVEoDQ8_zSdS0bKZDsm4Lh7Rr8RgMfwAZ&

This popup is blocked as mixed content, preventing use of our call center's CRM and phone systems. It is not possible to allow mixed content on a per-page basis since each account record is pulled as a unique URL.

Please update to allow a domain level mixed-content approval ability, if not a global mixed-content approval ability. This is critical, and we would love to keep supporting the use of Firefox, but will not be able to do so until this bug is corrected.

Thank you
(In reply to michael.brodie from comment #46)
> Please update to allow a domain level mixed-content approval ability, if not
> a global mixed-content approval ability. This is critical, and we would love
> to keep supporting the use of Firefox, but will not be able to do so until
> this bug is corrected.
> 

Hi Michael,

Yes, we understand your concerns. See bug 902156 where we're working on part of the issue. The domain/global approval ability is something we're currently discussing also.
Depends on: 903876
Not sure if this is the place to report:  http links in craigslist forums (user posted links and craigslist links) won't open when clicked (but can be opened in a new tab) in FireFox 23.  They trigger the mixed content alarm which does then allow a single-case exception if the user chooses it.
(In reply to Aidan Corey from comment #44)
> https://s5.parature.com/
> 
> After I log in, this site uses an iframe to display custom content from a
> server on my office intranet. (The problem isn't with Parature; it's our IT
> department's choice not to use https for an intranet site).
> 
> Aurora blocks this. It works temporarily if I override it, but Aurora
> doesn't retain that setting.
> 
> (Chrome 28.0.1500.72 m does not block the iframe, but MSIE 9 does.)

Chrome 30+ will also block the iframe.
(In reply to michael.brodie from comment #46)
> The website for https://na5.salesforce.com is broken. The parent domain is
> salesforce.com, which is a CRM product we use in our call center. This has
> an integrated telephony suite provided by Five9.com  In order for the Five9
> softphone CTI adapter to work with Salesforce, it must allow a popup from
> http://localhost:11000/?sfdcFrameOrigin=https%3A%2F%2Fna5.salesforce.
> com&sid=00D700000008LF7!AQYAQDX.iZSCnwqrhxU3uAU9NNAfMHuAzkFLDPwJAhah5G.
> 7QGoOGd9wAdJwKHNXVEoDQ8_zSdS0bKZDsm4Lh7Rr8RgMfwAZ&
> 

Letting salesforce know about this will also be helpful.  Thanks!
(In reply to Hedda from comment #48)
> Not sure if this is the place to report:  http links in craigslist forums
> (user posted links and craigslist links) won't open when clicked (but can be
> opened in a new tab) in FireFox 23.  They trigger the mixed content alarm
> which does then allow a single-case exception if the user chooses it.

There is a bug related to the craiglist issue - it is a functionality issue with the Mixed Content Blocker itself.  It shouldn't be blocking page navigation.  I have a patch and am working on the tests so that we can land and uplift the fix to this bug (https://bugzilla.mozilla.org/show_bug.cgi?id=902350).
(In reply to Tanvi Vyas [:tanvi] from comment #51)
> ... I have a patch and am working on the tests so that we can land
> and uplift the fix to this bug
> (https://bugzilla.mozilla.org/show_bug.cgi?id=902350).

Thanks for the 902350 bug thread reference.
https://www.commondreams.org/view/2013/08/14-5 blocks mixed script for disqus.  The https version does exist though, so they would just need to update their link:

Blocked loading mixed active content "http://commondreams.disqus.com/embed.js" @ https://www.commondreams.org/sites/commondreams.org/files/js/js_fb13a435ea97c698380ff317a51ea2bd.js:19
Login dialog blocked at:

https://www.allscripts.com/en/client-login.html

Chrome & IE both allow this login dialog, I found this bug thread troubleshooting why it stopped working in Firefox 23 for Mac and Windows clients.
I have a company-private application running which does an XHR POST to http://localhost:12345/resource
It's no longer working. Can you please add an exception for "localhost" as MITM attacks aren't possible here?
Joern, such exceptions (eg. IE's "intranet" mode) are a nightmare for developers. "It works on my computer", only until it is deployed to test or production environment.

In your case you could (depending on your httpd) make it work by enabling https (with self-signed cert) on your localhost.
(In reply to jasonfz from comment #54)
> Login dialog blocked at:
> 
> https://www.allscripts.com/en/client-login.html
> 
> Chrome & IE both allow this login dialog, I found this bug thread
> troubleshooting why it stopped working in Firefox 23 for Mac and Windows
> clients.
This page has mixed content script from jquery.

Testing on Chrome 28, the script is also blocked:

[blocked] The page at https://www.allscripts.com/en/client-login.html ran insecure content from http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js.

Since this is script, I suspect that IE has also blocked the script.  It is possible that the site has written IE-specific code.
Depends on: 904807
(In reply to Joern Heissler from comment #55)
> I have a company-private application running which does an XHR POST to
> http://localhost:12345/resource
> It's no longer working. Can you please add an exception for "localhost" as
> MITM attacks aren't possible here?

Is the localhost:12345 service robust enough to be exposed to the public internet? That's basically what you've done there, with your browser as the bridge. Maybe your own app won't abuse the service but you're relying on "security by obscurity" to protect you from everyone else. In my experience such services are usually developed without much thought about security because the makers somehow think the magic firewall will protect them.

Ideally we'd like to kill all access to local addresses from public web pages (bug 354493) but I don't see that flying any time soon. That may not match the situation here anyway since you said it was a "company-private" application; is it hosted on an internal network address?
(In reply to Stefan Baebler from comment #56)
> Joern, such exceptions (eg. IE's "intranet" mode) are a nightmare for
> developers. "It works on my computer", only until it is deployed to test or
> production environment.

Oh dear, I didn't even test it with MS products yet. Good that the group of users is limited and doesn't use MS :-)

> In your case you could (depending on your httpd) make it work by enabling
> https (with self-signed cert) on your localhost.

Would mean importing that cert into all browsers, might be easier to get a real cert for e.g. https://localhost.mydomain.tld/ and set dns record to 127.0.0.1

(In reply to Daniel Veditz [:dveditz] from comment #58)
> Is the localhost:12345 service robust enough to be exposed to the public
> internet? That's basically what you've done there, with your browser as the
> bridge.
 
The webserver checks the origin header, if it's not own domain, it replies with 403. Unless a malicious website can fake the origin, it should be secure. Even when not, the worst damage would be some DoS.

> Ideally we'd like to kill all access to local addresses from public web
> pages (bug 354493) but I don't see that flying any time soon. That may not
> match the situation here anyway since you said it was a "company-private"
> application; is it hosted on an internal network address?

It's hosted on a public address. Might be changed to using a VPN, but that's also trouble to setup currently.
The Learning Management System known as Sakai CLE is particularly susceptible because of its heavy reliance on iframes. http://www.sakaiproject.org/

Here at Yale, our deployment of Sakai is branded "Classes*v2" https://classesv2.yale.edu/

While not open to the general public, we have already received faculty reports of issues stemming from mixed content blocking. We expect to hear more when classes start next week.
Good morning,

My company creates and maintains User Generated Content Contests for our clients and our facebook integration is not functioning properly with Mixed Content Blocking.  This is primarily due to our Content Hosting Provider does not support Https Uploading.

Currently the issue seems to only happen within the facebook canvas page.

Here is a link to our test contest

https://apps.facebook.com/digitalivystaging/fb/319327748166522/5bygjx

Instructions on recreating the bug

1) Login to Facebook and proceed to the link above (make sure you have Secure Browsing enabled in facebook Account Settings -> Security)
2) Click Submit an Entry (you might be asked to register, fake data is fine as its a test contest)
3) attempt to create a submission by uploading an image file.
4) You will get a mixed content error that blocks this process.

We are able to work around it by disabling this feature on the page prior to submission.  This functionality works perfectly in all major Browsers including Firefox 22.  This issue appeared with the release of Firefox 23.

This did expose a few places we could improve our code which we are working on but currently this is the only piece that is out of our control.  Any ideas would be appreciated.

Thanks

Kenneth Garza
AMP Contesting Development Team Lead
Triton Digital
kenneth.garza@tritondigital.com
Depends on: 909761
(In reply to Tanvi Vyas - out until 9/4 [:tanvi] from comment #57)
> (In reply to jasonfz from comment #54)
> > Login dialog blocked at:
> > 
> > https://www.allscripts.com/en/client-login.html
> > 
> > Chrome & IE both allow this login dialog, I found this bug thread
> > troubleshooting why it stopped working in Firefox 23 for Mac and Windows
> > clients.
> This page has mixed content script from jquery.
> 
> Testing on Chrome 28, the script is also blocked:
> 
> [blocked] The page at https://www.allscripts.com/en/client-login.html ran
> insecure content from
> http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js.
> 
> Since this is script, I suspect that IE has also blocked the script.  It is
> possible that the site has written IE-specific code.

The webmaster has updated their site to be compliant and removed the insecure content -- it now works as intended and thank you very much for assisting with pointing them in the right direction!  It now works under all browsers including Firefox under Mac/Windows.
SciQuest SelectSite punchouts are failing when vendor sites are HTTP.
Depends on: 910710
The reporting tool on the www.fastexas.org tool is now broken.

The application serves flash files for the reports.

To re-create:
https://ourcpa.cpa.state.tx.us/fast/rpttool/disclaimerSubmit.do
 Click the disclaimer button;
 Select the radio button: View a FAST profile for a single specific district or compare multiple specific districts.
Select any district from the list and hit submit.  

Yes I know the architecture of this is problematic, and I wouldn't even bother reporting this if the UX of bypassing this blocker was not SO RIDICULOUSLY CONVOLUTED.
Columbus State Community College - Online portal (Black Board)
Mixed content tripping.

https://courses.cscc.edu/
(In reply to Jason Stillion from comment #65)
> Columbus State Community College - Online portal (Black Board)
> Mixed content tripping.
> 
> https://courses.cscc.edu/

There portal is displaying mixed content, not sure if they can make changes to not show mixed contend.
Blocks: 900465
Depends on: 911861
Blocks: 907361
Depends on: 906447
This is causing a big issue at the University of West Georgia and many other schools using Desire2Learn learning management system, Wikispaces, YouTube, and many other sources of web content for online education.

One MAJOR problem is that FFox does NOT always provide the little "mixed content" shield (have screenshots proving it). Therefore, directing FF users to "click on the shield to allow" does not work if there is no shield available.  (I'm not sure if I have posted this in the correct bug report)
(In reply to J Gubbins from comment #67)
> This is causing a big issue at the University of West Georgia and many other
> schools using Desire2Learn learning management system, Wikispaces, YouTube,
> and many other sources of web content for online education.
> 
> One MAJOR problem is that FFox does NOT always provide the little "mixed
> content" shield (have screenshots proving it). Therefore, directing FF users
> to "click on the shield to allow" does not work if there is no shield
> available.  (I'm not sure if I have posted this in the correct bug report)

Hi J,

Thank you for your comment!  When we block mixed active content, the shield should definitely show up in the url bar.  If not, that is a bug and we need to fix it.  Can you provide me with an example url where you are experiencing this behavior?  I can test it out and see what is going on.

If you aren't sure if the issues you are experiencing are due to mixed content or something else, you can also open up the Developer Tools Web Console (https://developer.mozilla.org/en-US/docs/Tools/Web_Console).  The security pane will tell you if any content is blocked by the Mixed Content Blocker:
https://mdn.mozillademos.org/files/5261/blocked-mixed-content-errors.png

Thanks!
(In reply to Tanvi Vyas [:tanvi] from comment #68)
> (In reply to J Gubbins from comment #67)
> > This is causing a big issue at the University of West Georgia and many other
> > schools using Desire2Learn learning management system, Wikispaces, YouTube,
> > and many other sources of web content for online education.
> > 
> > One MAJOR problem is that FFox does NOT always provide the little "mixed
> > content" shield (have screenshots proving it). Therefore, directing FF users
> > to "click on the shield to allow" does not work if there is no shield
> > available.  (I'm not sure if I have posted this in the correct bug report)
> 
> Hi J,
> 
> Thank you for your comment!  When we block mixed active content, the shield
> should definitely show up in the url bar.  If not, that is a bug and we need
> to fix it.  Can you provide me with an example url where you are
> experiencing this behavior?  I can test it out and see what is going on.
> 
> If you aren't sure if the issues you are experiencing are due to mixed
> content or something else, you can also open up the Developer Tools Web
> Console (https://developer.mozilla.org/en-US/docs/Tools/Web_Console).  The
> security pane will tell you if any content is blocked by the Mixed Content
> Blocker:
> https://mdn.mozillademos.org/files/5261/blocked-mixed-content-errors.png
> 
> Thanks!

Hello Tanvi,

I work with J at the University of West Georgia. I took a screenshot of Firefox blocking mixed content without offering an option to show all content on the page (http://www.westga.edu/~wstevers/firefox_blocked_content.jpg). We are seeing this error in our Learning Management System, so we are unable to provide a direct link to test. If there is a private communication method we could use to communicate through, we would be happy to provide test credentials.

Thank you!
Hi DW and J,

Thanks for providing the screenshot. I've emailed you to see if I can get credentials to test with.  One other question - what operating system are you using?  This might be an issue specific to Firefox with Windows 7.
(In reply to DW Steverson from comment #69)
> http://www.westga.edu/~wstevers/firefox_blocked_content.jpg

I see that your screenshot shows we blocked a YouTube video. When possible, you can (and should) fix this issue with YouTube videos on your end by replacing the "http" with "https" in the <iframe src=http://youtube.com/...> part of the page, because youtube.com does support HTTPS for embedded videos.
Can't use the captive portal at CDG to purchase WiFi with Aurora 25.0a2.  Works fine with Safari.   Fails between showing the terms and the payment page.

https://mercanet.netinary.net/centralportal   

Aêroportes de Paris.  The customer service number for WiFi is 0 805 46 94 34.
Depends on: 916103
Depends on: 916783
My company developed a web-based retail point of sale system (FaceCash Register, which runs on https://www.facecash.com) that uses a local Windows program running a web server to operate an optional second printer and cash drawer. That local web server does not have an SSL certificate, even though everything happening on the FaceCash web site uses SSL and is addressed as https://. Consequently, when our JavaScript call goes out to http://localhost to send data to Windows, it triggers the mixed content blocker and prevents the cash drawer from opening and/or the kitchen printer from printing. This is a problem.

It seems like you can disable mixed content blocking for the site, but it only applies to that browser session. The next time our merchant goes back to the site, it's blocked again.
This website is broken:
http://www.textyourexbackpdf.info/

I've already tested it using Firefox in safe mode, but it still doesn't show its CSS unless I stop blocking the mixed content.
Sites were Mixed Active Content only appeared on 1 or 2 browses, but not all 3.

Updated the spreadsheet a bit.

http://vimeo.com/79090838
http://vimeo.com/78989947
No longer blocks: 900465
Depends on: 900465
> Upper right of the page, there should be a search box that fails to display.
http://www.thesomanabolicmusclemaximizereview.com/
Depends on: 888940
Depends on: 955864
I think this fits better in Tech Evangelism.
[Depends on 920536]
Depends on: 961700
Assignee: nobody → english-other
Component: Security → English Other
Depends on: 920536
Product: Firefox → Tech Evangelism
Depends on: 975929
Depends on: 989830
Depends on: 996454
Depends on: 1006347
Depends on: 654914
No longer depends on: 769846
No longer depends on: 1006347
Subscribe box show larger in laptop

Page Link -  http://www.couponbaba.in/flipkart.com/
As with a previous comment our company has several web functions that utilize call backs to http://localhost for interacting with Java apps. Mixed Content blocking has now become a problem to functionality which has no or limited risk for data exposure.  As localhost does not have security cert, forcing those calls to be HTTPS breaks function.  

Really need either permanent site white list for exception as reloading the page to create temporary exception every time the user logs in is inconvenient.  Or have internal to firefox an exclusion for applying mixed content filtering to any "localhost" URL.....

Again, good idea, but implications not well thought out for general impact.
Error in my site, Showing twitter account is not connected. Plz Check.

http://www.knottykart.com
(In reply to Niisha from comment #83)
> Subscribe box show larger in laptop
> 
> Page Link -  http://www.couponbaba.in/flipkart.com/

(In reply to Niisha from comment #85)
> Error in my site, Showing twitter account is not connected. Plz Check.
> 
> http://www.knottykart.com

Mixed Content blocker does only affect sites, that provide ssl. Your site seems to support only http, so these issues are not related with mixed contet blocker.
Assignee: english-other → nobody
Component: English Other → Desktop
What would be the good way to test with JS that one or more resources has mcb

aka 

When accessing https://www.example.com/
there is a resource http://overthere.example.net/ which is downloaded.

In the console it displays has 
Blocked loading mixed active content "http://***"[Learn More]


asking because it would be good to add to our automated tests in 
https://github.com/hallvors/sitecomptester-extension/blob/master/data/sitedata.json

Example:
https://github.com/hallvors/sitecomptester-extension/blob/master/data/sitedata.json#L245
In the slimerjs test runner I do this which sort of works - 

	page.onResourceError = function (res) {
	    if(/http:\/\//.test(res.url)){
			httpResources.push(res.url);
		}
	}
It's kind of good enough, but it might be nice to also pick up the console warnings..
> Upper right of the page, there should be a search box that fails to display.
http://www.reviewsnq.com/

I've already tested it using Firefox in safe mode, but it still doesn't show its CSS unless I stop blocking the mixed content.
Depends on: 1153536
Personally I do not see a Mixed Content Blocked indication when I visit your site with Firefox.
If you see a problem yourself when using Firefox and think there is a problem with Firefox You may like to ask on the Mozilla Support site use: https://support.mozilla.org/questions/new/

If the issue is apparently with the Website design some third party site may be able to assist you. I would suggest trying: http://forums.mozillazine.org/viewforum.php?f=25 {Web Development / Standards Evangelism) 

If you are getting reports of users seeing a shield on the location bar of Firefox it may be the experimental Tracking Blocking feature see https://support.mozilla.org/kb/tracking-protection-firefox
http://trailerweb.tumblr.com/
Flags: needinfo?(swiftt147)
Comment on attachment 746148 [details]
Domains that trigger mixed content blocker

>68:34.13  Mixed Content Doorhanger appeared: (94)https://imgur.com
>68:34.13  Mixed Content Doorhanger appeared: (94)https://www.imgur.com
>68:34.14  Mixed Content Doorhanger appeared: (103)https://espn.go.com
>68:34.14  Mixed Content Doorhanger appeared: (103)https://www.espn.go.com
>163:21.58  Mixed Content Doorhanger appeared: (117)https://www.nytimes.com
>163:21.58  Mixed Content Doorhanger appeared: (137)https://www.ehow.com
>163:21.58  Mixed Content Doorhanger appeared: (173)https://www.orange.fr
>163:21.59  Mixed Content Doorhanger appeared: (241)https://www.ameba.jp
>163:21.59  Mixed Content Doorhanger appeared: (260)https://www.iqiyi.com
>163:21.59  Mixed Content Doorhanger appeared: (266)https://www.mobile01.com
>163:21.59  Mixed Content Doorhanger appeared: (270)https://www.samsung.com
>163:21.59  Mixed Content Doorhanger appeared: (275)https://www.tagged.com
>163:21.59  Mixed Content Doorhanger appeared: (284)https://www.myspace.com
>163:21.59  Mixed Content Doorhanger appeared: (287)https://www.siteadvisor.com
>163:21.59  Mixed Content Doorhanger appeared: (295)https://isohunt.com
>163:21.59  Mixed Content Doorhanger appeared: (295)https://www.isohunt.com
>163:21.59  Mixed Content Doorhanger appeared: (304)https://www.weebly.com
>163:21.59  Mixed Content Doorhanger appeared: (310)https://www.twoo.com
>163:21.59  Mixed Content Doorhanger appeared: (311)https://imageshack.us
>163:21.60  Mixed Content Doorhanger appeared: (311)https://www.imageshack.us
>163:21.60  Mixed Content Doorhanger appeared: (322)https://www.exoclick.com
>163:21.60  Mixed Content Doorhanger appeared: (331)https://www.intuit.com
>163:21.60  Mixed Content Doorhanger appeared: (350)https://www.seznam.cz
>163:21.60  Mixed Content Doorhanger appeared: (356)https://mashable.com
>163:21.60  Mixed Content Doorhanger appeared: (356)https://www.mashable.com
>163:21.60  Mixed Content Doorhanger appeared: (358)https://beeg.com
>163:21.60  Mixed Content Doorhanger appeared: (358)https://www.beeg.com
>163:21.60  Mixed Content Doorhanger appeared: (366)https://www.match.com
>163:21.60  Mixed Content Doorhanger appeared: (386)https://www.wix.com
>163:21.60  Mixed Content Doorhanger appeared: (394)https://abcnews.go.com
>163:21.60  Mixed Content Doorhanger appeared: (394)https://www.abcnews.go.com
>163:21.60  Mixed Content Doorhanger appeared: (398)https://9gag.com
>163:21.60  Mixed Content Doorhanger appeared: (399)https://www.dell.com
>163:21.60  Mixed Content Doorhanger appeared: (401)https://bleacherreport.com
>168:53.71  Mixed Content Doorhanger appeared: (406)https://www.buzzfeed.com
>168:53.71  Mixed Content Doorhanger appeared: (412)https://www.ning.com
>168:53.71  Mixed Content Doorhanger appeared: (416)https://acesse.com
>168:53.71  Mixed Content Doorhanger appeared: (416)https://www.acesse.com
>168:53.71  Mixed Content Doorhanger appeared: (428)https://www.terra.com.br
>168:53.71  Mixed Content Doorhanger appeared: (463)https://www.mobile.de
>168:53.71  Mixed Content Doorhanger appeared: (483)https://www.123rf.com
>168:53.71  Mixed Content Doorhanger appeared: (484)https://inbox.com
>168:53.71  Mixed Content Doorhanger appeared: (484)https://www.inbox.com
>168:53.71  Mixed Content Doorhanger appeared: (490)https://youm7.com
>168:53.71  Mixed Content Doorhanger appeared: (490)https://www.youm7.com
>168:53.71  Mixed Content Doorhanger appeared: (512)https://www.sahibinden.com
>168:53.71  Mixed Content Doorhanger appeared: (521)https://www.tmz.com
>168:53.71  Mixed Content Doorhanger appeared: (540)https://www.verizonwireless.com
>168:53.71  Mixed Content Doorhanger appeared: (552)https://www.blackhatworld.com
>168:53.71  Mixed Content Doorhanger appeared: (561)https://www.infusionsoft.com
>168:53.71  Mixed Content Doorhanger appeared: (568)https://www.888.com
>168:53.71  Mixed Content Doorhanger appeared: (572)https://avazutracking.net
>168:53.71  Mixed Content Doorhanger appeared: (572)https://www.avazutracking.net
>168:53.71  Mixed Content Doorhanger appeared: (576)https://www.pixnet.net
>168:53.71  Mixed Content Doorhanger appeared: (577)https://xda-developers.com
>168:53.71  Mixed Content Doorhanger appeared: (577)https://www.xda-developers.com
>168:53.71  Mixed Content Doorhanger appeared: (582)https://www.sergey-mavrodi.com
>168:53.71  Mixed Content Doorhanger appeared: (588)https://www.mynet.com
>168:53.71  Mixed Content Doorhanger appeared: (591)https://pogo.com
>168:53.71  Mixed Content Doorhanger appeared: (591)https://www.pogo.com
>168:53.72  Mixed Content Doorhanger appeared: (596)https://mgid.com
>168:53.72  Mixed Content Doorhanger appeared: (596)https://www.mgid.com
>168:53.72  Mixed Content Doorhanger appeared: (603)https://www.mapquest.com
>168:53.72  Mixed Content Doorhanger appeared: (605)https://swagbucks.com
>168:53.72  Mixed Content Doorhanger appeared: (605)https://www.swagbucks.com
>168:53.73  Mixed Content Doorhanger appeared: (621)https://www.retailmenot.com
>168:53.73  Mixed Content Doorhanger appeared: (641)https://www.cmbchina.com
>168:53.73  Mixed Content Doorhanger appeared: (646)https://issuu.com
>168:53.73  Mixed Content Doorhanger appeared: (646)https://www.issuu.com
>168:53.73  Mixed Content Doorhanger appeared: (663)https://twitpic.com
>168:53.73  Mixed Content Doorhanger appeared: (663)https://www.twitpic.com
>168:53.73  Mixed Content Doorhanger appeared: (668)https://tinyurl.com
>168:53.73  Mixed Content Doorhanger appeared: (681)https://www.careerbuilder.com
>168:53.73  Mixed Content Doorhanger appeared: (682)https://squarebux.com
>168:53.73  Mixed Content Doorhanger appeared: (687)https://www.zendesk.com
>275:12.85  Mixed Content Doorhanger appeared: (723)https://www.force.com
>275:12.85  Mixed Content Doorhanger appeared: (735)https://www.ensonhaber.com
>275:12.85  Mixed Content Doorhanger appeared: (742)https://www.xtube.com
>275:12.85  Mixed Content Doorhanger appeared: (747)https://drupal.org
>275:12.85  Mixed Content Doorhanger appeared: (748)https://www.cocolog-nifty.com
>275:12.85  Mixed Content Doorhanger appeared: (750)https://haberturk.com 
>275:12.85  Mixed Content Doorhanger appeared: (750)https://www.haberturk.com
>275:12.85  Mixed Content Doorhanger appeared: (761)https://www.norton.com
>275:12.85  Mixed Content Doorhanger appeared: (776)https://slickdeals.net
>275:12.85  Mixed Content Doorhanger appeared: (801)https://rottentomatoes.com
>275:12.85  Mixed Content Doorhanger appeared: (801)https://www.rottentomatoes.com
>275:12.85  Mixed Content Doorhanger appeared: (806)https://www.cheezburger.com
>275:12.85  Mixed Content Doorhanger appeared: (820)https://www.ea.com
>275:12.85  Mixed Content Doorhanger appeared: (836)https://www.kohls.com
>275:12.85  Mixed Content Doorhanger appeared: (855)https://www.nhk.or.jp
>275:12.85  Mixed Content Doorhanger appeared: (861)https://www.hi5.com
>275:12.85  Mixed Content Doorhanger appeared: (866)https://manta.com
>275:12.85  Mixed Content Doorhanger appeared: (866)https://www.manta.com
>275:12.85  Mixed Content Doorhanger appeared: (877)https://www.legacy.com
>275:12.85  Mixed Content Doorhanger appeared: (882)https://www.woot.com
>275:12.85  Mixed Content Doorhanger appeared: (912)https://www.piriform.com
>275:12.86  Mixed Content Doorhanger appeared: (924)https://boston.com
>275:12.86  Mixed Content Doorhanger appeared: (924)https://www.boston.com
>275:12.86  Mixed Content Doorhanger appeared: (932)https://www.avira.com
>275:12.86  Mixed Content Doorhanger appeared: (948)https://www.rr.com
>275:12.86  Mixed Content Doorhanger appeared: (954)https://www.roulettebotplus.com
>275:12.86  Mixed Content Doorhanger appeared: (998)https://jeuxvideo.com
>275:12.86  Mixed Content Doorhanger appeared: (998)https://www.jeuxvideo.com
Flags: needinfo?(brian)
Summary: [tracking] compatibility issues with mixed content blocker on non-Mozilla websites → [meta][tracking] compatibility issues with mixed content blocker on non-Mozilla websites
Emma, this bug seems to be a spam magnet. Is there any way we can close comments on it?
Flags: needinfo?(paulstalker007)
Flags: needinfo?(info.ahram)
Flags: needinfo?(ehumphries)
Flags: needinfo?(brian)
Extended, off-topic comments on a bug add noise to the signal. Per, https://bugzilla.mozilla.org/page.cgi?id=restrict_comments_guidelines.html, we've restricted comments on this bug to Mozillians with EDITBUGS permissions.
Flags: needinfo?(ehumphries)
Restrict Comments: true
Keywords: meta
Product: Tech Evangelism → Web Compatibility
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.