Closed Bug 880885 Opened 7 years ago Closed 4 years ago

Accepting invitations on https://www.linkedin.com/inbox/invitations/pending does not work properly because of mixed content blocking

Categories

(Web Compatibility :: Desktop, defect, major)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: tanvi, Unassigned)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [mcb-ie][contactready] [country-all] [http])

Mixed content blocking is a feature that prevents insecure elements on secure pages from loading. In Firefox 23, this feature will default to blocking "active" insecure content, which may break some web sites. 

More information on Firefox's Mixed Content Blocker is below: 
http://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

The security feature is currently breaking the XHR request made when a user accepts an invitation on the HTTPS version of linkedin (ex: https://www.linkedin.com/inbox/invitations/pending).  The accept request never goes through (note that I've obfuscated some of the potentially sensitive parameters):

Blocked loading mixed active content "http://www.linkedin.com/inbox/action?mboxItemGID=XXXXXXXXXX&actionType=invitationAccept&csrfToken=ajax%3AXXXXXX&goback=%2Epiv_*1_*1_*1_*1_*1&trk=inbox-invitations-inv-accept&ctx=inbox&rnd=XXXXXXXXXXX"
 @ https://s1-s.licdn.com/scds/concat/common/js?h=XXXXXXXXXX&fc=1:43

Note that Chrome 29+ will also be blocking Mixed Content XHR requests, so this problem will occur for both Firefox and Chrome users when these versions hit stable in early August.
I emailed some folks at LinkedIn about this issue.
This is also an issue on IE 10.
and possibly IE9, but we haven't tested that.
Blocks: 881786
No longer blocks: 881786
Whiteboard: [mcb-chrome29+][mcb-ie]
(In reply to Tanvi Vyas [:tanvi] from comment #1)
> I emailed some folks at LinkedIn about this issue.

I reached out to the LinkedIn folks again yesterday for an update.
Whiteboard: [mcb-chrome29+][mcb-ie] → [mcb-chrome29+?][mcb-ie]
Chrome has not blocked Mixed XHR's yet.  So removing the chrome flag from the whiteboard until they do.
Whiteboard: [mcb-chrome29+?][mcb-ie] → [mcb-ie]
This issue still exists.  If anyone has a webdev contact at LinkedIn, please do reach out to them.  Thanks!
Whiteboard: [mcb-ie] → [mcb-ie][contactready]
Assignee: english-us → nobody
Component: English US → Desktop
Whiteboard: [mcb-ie][contactready] → [mcb-ie][contactready] [country-all] [http]
Tentatively WFM - I have no pending invites but I don't see any warnings when that page loads (it then forwards me somewhere else - to an "import contacts" page, AKA their "spams your friends forever" feature)
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.