Closed
Bug 893428
Opened 11 years ago
Closed 7 years ago
https://www.padmapper.com/ does not work properly because of mixed content blocking
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jonathan, Unassigned)
References
()
Details
(Whiteboard: [mcb-thirdparty-notified][mcb-ie][mcb-chrome30+])
On https://www.padmapper.com, viewing a listing will fail for source websites that are insecure, for example Kijiji. Padmapper works by aggregating housing listings and displaying them on their (secure) site within an iframe. For the listing to be displayed, one has to select "Disable protection on this page", which will allow to view the listings. However, this has to be done (3 clicks) on each listing that the user wants to see, which is tedious over a number of listings. Possible solutions include: * Reviewing the iframe mixed content policy (I don't really know the issue, I know this has been thought about at Mozilla) * Allow the user to permit mixed content over a domain. This blocks #844556.
Comment 1•11 years ago
|
||
Hi Jonathan, Thanks for filing this issue! (In reply to Jonathan Allard from comment #0) > Possible solutions include: > > * Reviewing the iframe mixed content policy (I don't really know the issue, > I know this has been thought about at Mozilla) For information on why we block Mixed Content iframes, see here: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#Mixed_Content_Frames Internent Explorer also blocks Mixed Content Frames, and hence padmapper will have the same issue on IE. Chrome is also moving in this direction. They have a patch to block Mixed Content frames that was supposed to land in Chrome 29 (but I'm not sure if that is still on track). > * Allow the user to permit mixed content over a domain. > There is a bug for this (https://bugzilla.mozilla.org/show_bug.cgi?id=873349), but I have some reservations about adding a whitelist. I will update the bug with my thoughts and see if we can get some opinions on the idea.
Comment 2•11 years ago
|
||
Does anyone have a padmapper contact? Matt, can you check this on IE?
Whiteboard: [mcb-no-contact][mcb-ie?]
Comment 3•11 years ago
|
||
The padmapper site itself isn't showing any errors for me in any browser, but if I understand it, it will when it tries to display rental info from a 3rd party site that has been sourced by HTTP. This would require more poking around to find an affected listing, and I haven't found one yet. This site might want to ask itself if embedding insecure content is more or less important than hosting the parent site under HTTPS.
Comment 4•11 years ago
|
||
Here is an example - https://www.padmapper.com/show.php?type=66&id=155941464&src=main Blocked loading mixed active content "http://www.mynewplace.com/apartment/30y420730811?CID=ADV-padmap" @ https://www.padmapper.com/show.php?type=66&id=155941464&src=main
Comment 5•11 years ago
|
||
Emailed Eric who seems to be the one man show behind padmapper.com
Updated•11 years ago
|
Whiteboard: [mcb-no-contact][mcb-ie?] → [mcb-thirdparty-notified][mcb-ie?]
Updated•11 years ago
|
Whiteboard: [mcb-thirdparty-notified][mcb-ie?] → [mcb-thirdparty-notified][mcb-ie?][mcb-chrome30+]
Comment 6•11 years ago
|
||
FYI: I haven't encountered a listing on the secure version of padmapper.com that triggers mixed content warning in any browser. Hence, I can't inspect the cross-browser behaviors that we are trying to verify.
Comment 7•11 years ago
|
||
Here is an example url: https://www.padmapper.com/show.php?type=12&id=152208859&src=main Note that the example urls disappear as rental postings expire. So we often have to search for a new one that triggers mixed content.
Updated•11 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [mcb-thirdparty-notified][mcb-ie?][mcb-chrome30+] → [mcb-thirdparty-notified][mcb-ie][mcb-chrome30+]
Comment 8•11 years ago
|
||
(In reply to lsblakk@mozilla.com [:lsblakk] from comment #5) > Emailed Eric who seems to be the one man show behind padmapper.com Lukas, did you ever get a response from Eric? Thanks!
No MCB triggers anymore while browsing on the site.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•