Closed
Bug 861753
Opened 12 years ago
Closed 12 years ago
vine.co links on Twitter and Facebook blocked (mixed content)
Categories
(Tech Evangelism Graveyard :: English US, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
Apr
People
(Reporter: Dolske, Unassigned)
References
Details
I'm getting mixed content warnings (and broken content) from vine.co links on Twitter and Facebook. I've been running with the mixed content pref enabled (before it became default), but only just noticed this. Recent regression?
EG https://twitter.com/frankyan/status/323664806118842368
Hmm:
<iframe class="card2-player-iframe"
src="https://vine.co/v/bFrhUFrirYi/card"
width="375"
height="375"
frameborder="0">
</iframe>
Yeah, even loading https://vine.co/v/bFrhUFrirYi/card directly does the same.
Didn't we add logging for what triggered the mixed blocking? I'm not seeing anything in the web console or error console. :(
Does your installation support mp4? the flash fallback uses http://vjs.zencdn.net/c/video-js.swf
VideoJS.options={
techOrder:["html5","flash"],
html5:{},
flash:{
swf:"http://vjs.zencdn.net/c/video-js.swf"
},
width:"auto",
height:"auto",
defaultVolume:0,
components:{
posterImage:{},
textTrackDisplay:{},
loadingSpinner:{},
bigPlayButton:{},
controlBar:{}
}
}
Flags: needinfo?(dolske)
Comment 3•12 years ago
|
||
Note that this is not a problem on Windows 7 as long as MP4 support is enabled. The Twitter embed and the direct link in comment 0 both work fine for me.
(In reply to Cork from comment #1)
> Does your installation support mp4? the flash fallback uses
> http://vjs.zencdn.net/c/video-js.swf
This is exactly what the feature is supposed to block. A MitM can modify the swf to p0wn the hosting page's origin.
I also checked and both of these are identical:
http://vjs.zencdn.net/c/video-js.swf
https://vjs.zencdn.net/c/video-js.swf
So, implementing bug 776278 will fix this. Also, more MP4 support on more platforms will fix this on those platforms (bug 799318).
Assignee: nobody → english-us
Component: Security → English US
Depends on: 776278
Product: Firefox → Tech Evangelism
Target Milestone: --- → Apr
Version: unspecified → Trunk
Comment 4•12 years ago
|
||
Should we try to contact twitter and facebook and ask them to update their links to the https version?
Also, is this still a problem? Visiting https://twitter.com/frankyan/status/323664806118842368 on OS X / Firefox 24, I don't see any issues.
Ya, vine.co has fixed there javascript:
u.Pb="https:"==document.location.protocol?"https://":"http://";
u.options={
techOrder:["html5","flash"],
html5:{},
flash:{
swf:u.Pb+"vjs.zencdn.net/c/video-js.swf"
},
width:"auto",
height:"auto",
defaultVolume:0,
components:{
posterImage:{},
textTrackDisplay:{},
loadingSpinner:{},
bigPlayButton:{},
controlBar:{}
}
}
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Updated•10 years ago
|
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•