Closed Bug 893428 Opened 11 years ago Closed 7 years ago

https://www.padmapper.com/ does not work properly because of mixed content blocking

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
23 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jonathan, Unassigned)

References

(
URL
)

Details

(Whiteboard: [mcb-thirdparty-notified][mcb-ie][mcb-chrome30+]) 

On https://www.padmapper.com, viewing a listing will fail for source websites that are insecure, for example Kijiji.

Padmapper works by aggregating housing listings and displaying them on their (secure) site within an iframe.

For the listing to be displayed, one has to select "Disable protection on this page", which will allow to view the listings. However, this has to be done (3 clicks) on each listing that the user wants to see, which is tedious over a number of listings.

Possible solutions include:

* Reviewing the iframe mixed content policy (I don't really know the issue, I know this has been thought about at Mozilla)
* Allow the user to permit mixed content over a domain.

This blocks #844556.
Blocks: 844556
Hi Jonathan,

Thanks for filing this issue!

(In reply to Jonathan Allard from comment #0)
> Possible solutions include:
> 
> * Reviewing the iframe mixed content policy (I don't really know the issue,
> I know this has been thought about at Mozilla)

For information on why we block Mixed Content iframes, see here:

https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#Mixed_Content_Frames

Internent Explorer also blocks Mixed Content Frames, and hence padmapper will have the same issue on IE.

Chrome is also moving in this direction.  They have a patch to block Mixed Content frames that was supposed to land in Chrome 29 (but I'm not sure if that is still on track).


> * Allow the user to permit mixed content over a domain.
> 
There is a bug for this (https://bugzilla.mozilla.org/show_bug.cgi?id=873349), but I have some reservations about adding a whitelist.  I will update the bug with my thoughts and see if we can get some opinions on the idea.
Does anyone have a padmapper contact?

Matt, can you check this on IE?
Whiteboard: [mcb-no-contact][mcb-ie?]
The padmapper site itself isn't showing any errors for me in any browser, but if I understand it, it will when it tries to display rental info from a 3rd party site that has been sourced by HTTP.

This would require more poking around to find an affected listing, and I haven't found one yet.

This site might want to ask itself if embedding insecure content is more or less important than hosting the parent site under HTTPS.
Emailed Eric who seems to be the one man show behind padmapper.com
Whiteboard: [mcb-no-contact][mcb-ie?] → [mcb-thirdparty-notified][mcb-ie?]
Whiteboard: [mcb-thirdparty-notified][mcb-ie?] → [mcb-thirdparty-notified][mcb-ie?][mcb-chrome30+]
FYI: I haven't encountered a listing on the secure version of padmapper.com that triggers mixed content warning in any browser. Hence, I can't inspect the cross-browser behaviors that we are trying to verify.
Here is an example url:

https://www.padmapper.com/show.php?type=12&id=152208859&src=main

Note that the example urls disappear as rental postings expire.  So we often have to search for a new one that triggers mixed content.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [mcb-thirdparty-notified][mcb-ie?][mcb-chrome30+] → [mcb-thirdparty-notified][mcb-ie][mcb-chrome30+]
(In reply to lsblakk@mozilla.com [:lsblakk] from comment #5)
> Emailed Eric who seems to be the one man show behind padmapper.com

Lukas, did you ever get a response from Eric?  Thanks!
No MCB triggers anymore while browsing on the site.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.