Closed Bug 865381 Opened 11 years ago Closed 10 years ago

Mixed active content (scripts and css) on openbadges.org

Categories

(Websites :: openbadges.org, defect)

Product:
Websites
Component:
openbadges.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tanvi, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: compat, dogfood) 

Mixed Active Content is blocked by default for users of Firefox 23+.  We are filing bugs for all Mozilla affiliated websites that have Mixed Content (master tracking bug is 843977).

Mixed content is when http content is present on https pages.  Please remove mixed content from openbadges.org.  If the mixed (active) content is not removed by August (when Firefox 23 hits stable), then openbadges.org will be broken when user's first visit the site.

On openbadges.org's homepage, I see the following two resource loads that are blocked:
* Blocked loading mixed active content "http://openbadges.org/wp-content/themes/openbadges2/media/css/core.min.css?ver=2.0" @ https://openbadges.org/
* Blocked loading mixed active content "http://openbadges.org/wp-includes/js/jquery/jquery.js?ver=1.8.3" @ https://openbadges.org/

Changing these links to "https" will resolve the issue (at least for the homepage).

If you need more information about this, I am happy to help.  You can also see this blog post for more details: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/



+++ This bug was initially created as a clone of Bug #843977 +++
I'm on the web app security team, tracking the dependencies for the overall mixed content bug, 843977.

There hasn't been any activity on this bug id lately, who is working on it, if anyone?
Ross: ^^
Flags: needinfo?(ross)
Similar to the Webmaker team the Badges team have been super busy recently preparing for a big launch of a campaign that they're working on but I'll add the PM to the CC for his input. I'll also file a couple of bugs that I think when fixed should help solve things...
Flags: needinfo?(ross)
Depends on: 880618
Thanks for opening the ticket. When can you guys get this on your calendar?
Just following up - the new FF beta has mixed content blocking enabled, this is pretty much a dogfood issue.
I think this is resolved by the site redirecting to http and not having https.

Going to https://openbadges.org

HTTP/1.1 302 Found
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 03 Jul 2013 22:34:51 GMT
Location: http://openbadges.org/

So no https = no mixed content blocker.
Based on the above I am resolving. In the future if this site supports https and has issues we can re-open.

But for now the site appears to be http only.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Thank you Ben!
Not all pages redirect to the HTTP version.  Reopening:

https://community.openbadges.org/
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Ross:

Can you provide a date when this will be resolved. This will be going into release FF Aug 6.
Flags: needinfo?(rossbruniges)
Andrew

I was just informed that Ross is no longer with the company. I am trying to find an owner to fix community.openbadges.org. It is currently broken in IE & Chrome due to mixed content and will be broken on FF come aug 6.


Is this something you can directly fix (found you via github commits), if not can you suggest someone who could?
Flags: needinfo?(rossbruniges) → needinfo?(andrew)
I've setup a redirect for https-->http.
Moving forward, we've discussed moving the other direction.
I think this can now be closed, based on JP's actions.

Ben, can you confirm that this is sufficient?
Flags: needinfo?(andrew) → needinfo?(booboobenny+bugzilla)
Redirect looks ok. This technically solves the problem of the site loading in IE, Chrome and now Firefox.

Agree that HTTPS is still the better solution but nice to have the site loading now :)
Flags: needinfo?(booboobenny+bugzilla)
This is a colossal pain. If I'm understanding this correctly, this kills a project I worked a long time on. 

I have written a bookmarklet-based research tool. This bookmarklet calls a page hosted either on a user's own server or on a public server of the user's choosing. Now, that page must be hosted on an https server, or the bookmarklet will not work on pages on websites that default to https, such as facebook or google. Since the tool was primarily intended to be used on facebook, this blows the whole project out of the water. Even if I went to the trouble & expense of getting my own SSL cert, I couldn't distribute the project anymore, because it wouldn't work for anyone who didn't have their own cert, which it's a total crapshoot as to whether a given small-time personal domain owners will or won't don't. 

Developers shouldn't make iron-clad, inflexible security decisions for the user if they limit usability. Whoever made this design decision obviously didn't think through the use cases thoroughly enough.
Belay the above. I didn't realize it's only Javascript... it wasn't my page, it was that my page was calling jQuery via http instead of https.
And, belay that retraction. My fixes from two weeks ago no longer work. Apparently in FF 25 this "feature" was changed again so that now *all* content called in an iFrame on an https page must also be hosted on an https server. My project is dead in the water, many months of work down the drain.
David, this is the wrong bug for discussion your issue. This bug is about mixed content on a specific Mozilla website.

Please join the https://lists.mozilla.org/listinfo/dev-security mailing list and explain your situation there. If your tool is open source, or if you have any kind of public demo of it, please include a link in your email.
(In reply to Tanvi Vyas [:tanvi] from comment #9)
> Not all pages redirect to the HTTP version.  Reopening:
> 
> https://community.openbadges.org/

See also: https://bugzilla.mozilla.org/show_bug.cgi?id=861847

It seems community.openbadges.org now redirects to http but the (upcoming?) site uses https: https://beta.openbadges.org/
Those are two separate applications.

The first you mention is Wordpress blog outlining the uses for Openbadges.  Beta, which is actually https://backpack.openbadges.org, is a different application for displaying ones badges.
Status: REOPENED → RESOLVED
Closed: 11 years ago10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.