Closed Bug 865384 Opened 12 years ago Closed 11 years ago

Mixed active content popcorn.webmaker.org

Categories

(Webmaker Graveyard :: Popcorn Maker, defect)

Product:
Webmaker Graveyard
Component:
Popcorn Maker
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: tanvi, Assigned: jon)

References

(Blocks 1 open bug)

Details

(Keywords: compat, dogfood)

Mixed Active Content is blocked by default for users of Firefox 23+. We are filing bugs for all Mozilla affiliated websites that have Mixed Content (master tracking bug is 843977). Mixed content is when http content is present on https pages. Please remove mixed content from popcorn.webmaker.org. If the mixed (active) content is not removed by August (when Firefox 23 hits stable), then popcorn.webmaker.org will not be fully functional when user's first visit the site. On popcorn.webmaker.org's homepage, I see the following resource that is blocked: * Blocked loading mixed active content "http://popcorn.webmadecontent.org/r7_" @ https://popcorn.webmaker.org/ It looks like trying to visit https://popcorn.webmadecontent.org/r7_ is using an invalid certificate, so simply changing the link to https won't work. Either the certificate has to be updated or the content should be loaded from a domain that does have a valid ssl certificate. If you need more information about this, I am happy to help. You can also see this blog post for more details: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ Please also check if this issue exists on other *.webmaker.org pages. Thanks! +++ This bug was initially created as a clone of Bug #843977 +++
I'm on the web app security team, tracking the dependencies for the overall mixed content bug, 843977 Has anyone began work on this bug yet?
Ross: ^^
Flags: needinfo?(ross)
Currently the Webmaker team are sprinting towards launching a brand new Webmaker (the site, the apps, the infra-structure) and I know that this greater issue (mixed-content) has been considered; indeed we've had many internal discussions with some awesome input from Mark Goodwin on this. Will move the product/component into the proper place and add the PM and tech leads to this bug for confirmation or updates.
Component: Other → Popcorn Maker
Flags: needinfo?(ross)
Product: Websites → Webmaker
Yes, we're tracking here: https://bugzilla.mozilla.org/show_bug.cgi?id=879020 Our new infra will publish to https with a valid SSL cert.
That ticket's closed, I'm still seeing popcorn.webmadecontent.org uses an invalid security certificate. The certificate is only valid for the following names: *.s3.amazonaws.com , s3.amazonaws.com
I just tried again and still see the error. Should this have changed by now?
No, not yet, sorry. Next week when we're not crunching for this Webmaker 2.0 launch, we'll go back and add SSL to that S3 bucket. Webmaker v2.0 will use makes.org, which already has SSL enabled: https://jon.makes.org/thimble/first
Hi Jon, did you guys get this onto your calendar for this week?
Started to move on this. I'd like to get the zone over to AWS (bug 884535), figure out which zones are being used, then order the appropriate SSL cert. Onward!
Assignee: nobody → jon
Status: NEW → ASSIGNED
Just following up - the new FF beta has mixed content blocking enabled, this is pretty much a dogfood issue.
Depends on: 888379
Alright, https://popcorn.webmadecontent.org/1 is up and running
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to Jon Buckley [:jbuck] from comment #11) > Alright, https://popcorn.webmadecontent.org/1 is up and running This still gives a cert error.
If you're inside one of the Mozilla offices you're being affected by bug 892677. Should resolve itself today/tomorrow!
Depends on: 892677
:tanvi can you verify that you're getting the correct cert now? Inside the Toronto office I am
Both https://popcorn.webmadecontent.org/r7_ and https://popcorn.webmaker.org/ both work now (no cert error, no mixed content loads) But when I go to https://popcorn.webmadecontent.org/1 I get the Mixed Content Shield Doorhanger and there is no content on the page. The webconsole says the following content was blocked: Blocked loading mixed active content "http://popcorn.webmadecontent.org/1_" @ https://popcorn.webmadecontent.org/1 This frame in the HTML needs to be updated to replace http:// with https://: <iframe id="embed" src="http://popcorn.webmadecontent.org/1_" width="1280" height="745" mozallowfullscreen="mozallowfullscreen" webkitallowfullscreen="webkitallowfullscreen" allowfullscreen="allowfullscreen"></iframe> There may be other pages within the on popcorn.webmadecontent.org domain that also trigger mixed content. Please check for mixed active content across the domain. In order to do this, you can use a scanning tool (adamm can give you guidance on that) or I also have a mochitest you could use (but you'd need to have a list of all the url entrypoints of your domain). Reopening for now.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
If someone can get me a list of the valid URLs to check I will let you know which still have problems.
In this case, every single URL will have this problem :/ I need to write a batch script to copy down the files, modify the iframe URLs, and upload them again...
Alright, tested out my batch script on https://popcorn.webmadecontent.org/1 and now the iframe isn't blocked by Nightly. Currently running it on the rest of the pages now, I'll RESOLVE this bug once that's done.
You can also check it yourself using the Zap intercepting proxy which is written by a Mozilla employee, Simon Bennett. https://code.google.com/p/zap-extensions/wiki/AddOn_pscanrules Passive mixed content scanning is one of the default plugins: just use it to proxy a browser and the passive scanner will catch it.
Done for https://popcorn.webmadecontent.org/1 through https://popcorn.webmadecontent.org/15ww
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.