www.newsblur.com does not work properly because of mixed content blocking

RESOLVED WORKSFORME

Status

P5
minor
RESOLVED WORKSFORME
6 years ago
a month ago

People

(Reporter: mwobensmith, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [mcb-chrome][mcb-ie][mcb-no-contact] [country-us] [contactready], URL)

Mixed content blocking is a feature that prevents insecure elements on secure pages from loading. In Firefox 23, this feature will default to blocking "active" insecure content, which may break some web sites. 

More information on Firefox's Mixed Content Blocker is below: 
http://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

The security feature is currently breaking the HTTPS version of www.omnigroup.com. It also appears to be functioning incorrectly in Chrome 26.

https://www.newsblur.com/ should render and function like http://www.newsblur.com/, but it doesn't because some HTTP resource(s) are not loaded.  

Affected URL:
https://www.newsblur.com/site/903/i-can-has-cheezburger

Here is a list of the active, HTTP resources that were blocked: 

Blocked loading mixed active content "http://www.facebook.com/plugins/facepile.php?%20app_id=151927811548639&size=large&action=like&max_rows=3&width=210" @ https://www.newsblur.com/site/903/i-can-has-cheezburger
Blocked loading mixed active content "http://www.googletagservices.com/tag/js/gpt.js" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://ssl.google-analytics.com/ga.js" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://barium.cheezdev.com/" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://sb.scorecardresearch.com/beacon.js" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://secure.quantserve.com/quant.js" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://connect.facebook.net/en_US/all.js" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://s7.addthis.com/js/300/addthis_widget.js#pubid=ra-514392b92c7f65e7" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
[16:12:50.667] Blocked loading mixed active content "http://graph.facebook.com/fql?q=SELECT%20share_count,%20commentsbox_count%20FROM%20link_stat%20WHERE%20url%20IN%20(%22http://cheezburger.com/7510781696%22,%22http://cheezburger.com/7510145536%22,%22http://cheezburger.com/7486583040%22,%22http://cheezburger.com/7521020416%22,%22http://cheezburger.com/7514981120%22,%22http://cheezburger.com/7519180288%22,%22http://cheezburger.com/7514505984%22)&callback=jQuery19005733745778657625_1370301170218&_=1370301170219" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
[16:12:50.672] Blocked loading mixed active content "http://app.cheezburger.com/Rating/Scores?callback=jQuery19005733745778657625_1370301170220&section=3&assetIds=7510781696&assetIds=7510145536&assetIds=7486583040&assetIds=7521020416&assetIds=7514981120&assetIds=7519180288&assetIds=7514505984&_=1370301170221" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:213
Blocked loading mixed active content "http://fanconverter.wetpaint.me/1.2.0/application-fanconverter.js" @ https://s.chzbgr.com/s/release_20130603.2/js-built/main-moist.js:210
Site also triggers mixed content warning in IE10.

Updated

5 years ago
Whiteboard: [mcb-chrome][mcb-ie]
Related: I switched to Newsblur from Google Reader (bug 844555) still get empty boxes when a feed includes a YouTube video.

EG https://www.newsblur.com/site/2330/hacked-gadgets-diy-tech-blog currently has an article with <iframe src="http://www.youtube.com/embed/FP6xWrKVqo4">. Chrome shows a video, is this the thing where Chrome isn't blocking iframes but we do?
Appears to have been fixed. Closing now.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED

Comment 4

5 years ago
It has not been fixed. I'm on beta channel and it still doesn't work.

Comment 5

5 years ago
(In reply to Justin Dolske [:Dolske] from comment #2)
> EG https://www.newsblur.com/site/2330/hacked-gadgets-diy-tech-blog currently
> has an article with <iframe src="http://www.youtube.com/embed/FP6xWrKVqo4">.
> Chrome shows a video, is this the thing where Chrome isn't blocking iframes
> but we do?

Yeah, looks like this issue still exists.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 6

5 years ago
This is something that happens with my experience with Firefox and Newsblur.  More of a problem now that Google Reader is gone, and the last update of Chrome makes it shut my computer down, so I really don't have an alternative browser.  Please consider a fix, sure would appreciate it!

Comment 7

5 years ago
Does anyone have a contact at newsblur?
Whiteboard: [mcb-chrome][mcb-ie] → [mcb-chrome][mcb-ie][mcb-no-contact]

Comment 8

5 years ago
Why is this needed? NewsBlur uses iframes to display external content, and how can a contact help?

Also, I believe Samuel's email is public, see: https://github.com/samuelclay/NewsBlur/ , an address in @newsblur.com.

Comment 9

5 years ago
(In reply to Aissen from comment #8)
> Why is this needed? NewsBlur uses iframes to display external content, and
> how can a contact help?
> 
> Also, I believe Samuel's email is public, see:
> https://github.com/samuelclay/NewsBlur/ , an address in @newsblur.com.

If the HTTPS version of newsblur includes HTTP iframes for external content, the iframes will be considered Mixed Content and blocked by IE9+, Firefox23+, and Chrome 30+.  It looks like there is more than iframes though, comment 0 shows they are also using mixed javascript, for example.

We can use help in contacting websites with Mixed Content, to let them know about the compatibility issues they have (or are about to have) with major browsers.  They can then work on removing the mixed content on their pages (replacing the http embeds with https embeds).

Comment 10

5 years ago
NewsBlur is an RSS reader, therefore it displays the external websites directly into iframes. There's not much it can do if those websites don't provide https connectivity.

Regarding javascript, it could probably be fixed though.
(In reply to Aissen from comment #10)
> NewsBlur is an RSS reader, therefore it displays the external websites
> directly into iframes. There's not much it can do if those websites don't
> provide https connectivity.

That's not how RSS works at all.

The problem, at least for YouTube, is how that content is embedded in RSS feeds, what Google recommends doing, and how that breaks as a result of MCB.

Comment 12

5 years ago
Hey, I run NewsBlur, so I'd love to help. Just to clarify, NewsBlur hits both active and passive mixed content warnings.

The active warning is from loading a story's permalink in an iFrame (called the Story mode), and is something that I don't really mind being blocked. However, I would like an event notification that I can listen to that tells me there was blocked active content and perhaps the DOM element that tried to request it. That way I can provide messaging to my users.

The passive warning is from loading images from a feed. The only way to get around this is for me to proxy all non-https images through something like CloudFront (camo on github is a good repo for this). I'll get around to that.

But having a notification so I can respond to the mixed content warning would be so helpful. Can we turn this ticket into that request?

Comment 13

5 years ago
Hi Sam,

Thanks for your response!

(In reply to Sam Clay from comment #12)
> The active warning is from loading a story's permalink in an iFrame (called
> the Story mode), and is something that I don't really mind being blocked.
> However, I would like an event notification that I can listen to that tells
> me there was blocked active content and perhaps the DOM element that tried
> to request it. That way I can provide messaging to my users.

When mixed content is blocked, we present a message in the security pane of the webconsole as explained here: https://developer.mozilla.org/en-US/docs/Security/MixedContent.  When mixed content is allowed and loaded, it shows up in the net panel.  (We are moving this to the security panel in bug https://bugzilla.mozilla.org/show_bug.cgi?id=875456.)  These messages tell you where in the code the mixed content came from.  Example from comment 0:

Blocked loading mixed active content "http://www.facebook.com/plugins/facepile.php?%20app_id=151927811548639&size=large&action=like&max_rows=3&width=210" @ https://www.newsblur.com/site/903/i-can-has-cheezburger


> But having a notification so I can respond to the mixed content warning
> would be so helpful. Can we turn this ticket into that request?

We are also looking into adding observers for mixed content and other security errors in bug https://bugzilla.mozilla.org/show_bug.cgi?id=897240.  This would be helpful for addons that are trying to find/report security issues on webpages.  But it wouldn't provide webpages with an event notification.

Comment 14

5 years ago
> We are also looking into adding observers for mixed content and other security errors in bug https://bugzilla.mozilla.org/show_bug.cgi?id=897240.  This would be helpful for addons that are trying to find/report security issues on webpages.  But it wouldn't provide webpages with an event notification.

So why not give webpages an event notification? If NewsBlur could capture this event, it could fallback with an error message that's helpful to the user.

Updated

4 years ago
Assignee: english-us → nobody
Status: REOPENED → NEW
Component: English US → Desktop
Whiteboard: [mcb-chrome][mcb-ie][mcb-no-contact] → [mcb-chrome][mcb-ie][mcb-no-contact] [country-us] [contactready]

Comment 15

4 years ago
This has come up again with users: https://getsatisfaction.com/newsblur/topics/story_view_not_working_on_all_sites.

I just need some warning so I can tell the user why an iframe isn't working.
Maybe this bug should be mutated into feature requests, more than Tech Evangelism.
What do you think Boris?
Flags: needinfo?(bzbarsky)
Summary: https://www.newsblur.com/ does not work properly because of mixed content blocking → www.newsblur.com does not work properly because of mixed content blocking
This is tricky. It would likely violate same origin policies to start giving a parent site from origin A information about content blocked inside IFRAME from origin B.

You could imagine something like
<iframe src="http://example.com" onerror="warnAboutFailedIframe()">
but IMO it could only fire for the main URL inside the IFRAME to avoid cross-origin information leakage - and it's already possible to simply do /^http:/.test(iframe.src) to check if it's likely to fail loading due to mixed content blocking. So if we turn this into a feature request, we'd IMHO have to invalidate it. I understand the use case and the desirability of having such a feature, but I don't think we can safely add it.
Sam, how do I test this "story view not working" problem? I'd like to see what you're doing exactly.
I think Hallvord covered everything I was going to say.
Flags: needinfo?(bzbarsky)
Ping sam for comment #17 and Comment #18
Flags: needinfo?(samuel)

Comment 21

4 years ago
Go to https://www.newsblur.com/site/250073/inner-sanctum-of-the-ninveah and click on the "Story" segmented control at the bottom of the window. (Original/Feed/Text/Story). That loads the currently selected story's permalink, which is http, not https like NewsBlur.

See http://cl.ly/Y21m for a screenshot.

I can't issue a regex for checking to see if the url begins with `http:` since some users may have turned off Mixed Mode Warnings and I want the page to load successfully for them. NewsBlur is a unique case as it's an RSS reader and will load many cross-origin webpages, but that doesn't mean I will have access to anything in the iframe if all I know is a browser setting for mixed content mode warnings.
Flags: needinfo?(samuel)
Thanks Sam for explaining this bug.

So I guess this is a duplicate of this Feature Request on sandboxed iframe: Bug 903211

See also the comments thread about CMS at 
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#comment-81

Sam,
would you accept to resolve this one as DUPLICATE of Bug 903211 and discuss your issue there?
Still an issue.
Priority: -- → P5

Updated

a month ago
Status: NEW → RESOLVED
Last Resolved: 5 years agoa month ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.