893506 - CSS should not trigger Renego active content security warning

Status: RESOLVED WONTFIX

(Firefox :: Security, defect)

Description

[Thomas Sisson]

Attachment: aboutHome.xhtml

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130627172038

Steps to reproduce:

Opened about:home from the address bar in Firefox.


Actual results:

The page loaded and I received this Renego warning:

Url Security Check
Loading of chrome://browser/content/abouthome/aboutHome.css from about:home denied.


Expected results:

I should have seen no warning.

Comment 1

[Thomas Sisson]

I'm using Firefox 22 and Renego is already enabled even though I don't recall enabling it.
I believe the pertinent lines from about:config that you would ask about are:

security.mixed_content.block_active_content, true
security.mixed_content.block_display_content, false
security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref, false
security.ssl.renego_unrestricted_hosts, ""
security.ssl.require_safe_negotiation, false
security.ssl.treat_unsafe_negotiation_as_broken, false

There are other pages that exhibit this behavior, but it is pretty easy to type about:home into your browser and see what happens. I see similar warnings when I open text documents from links.

Behavior of this sort would make me want to turn off this new security feature in Firefox 23. Many users will do the same thing, and this is not the desired affect.

If this behavior is not present in Firefox 23, I look forward to the update when it is release from Ubuntu. If you think this is unique to Ubuntu, you need to tell them since so many distributions pull their sources from Ubuntu. Of course, Debian has their unbranded versions.

Comment 2

[Mihai Morar, (:MihaiMorar)]

Are you using x64 or x86 Linux?

Comment 3

[Mihai Morar, (:MihaiMorar)]

I'm not able to reproduce your issue on Ubuntu 13.04 x86 and x64 too, using FF 22.0 and Latest Nightly 25.

Please install Latest nightly and tell me if your issue is still present:

http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2013/07/2013-07-14-03-02-02-mozilla-central/firefox-25.0a1.en-US.linux-i686.tar.bz2

Use both: clean profile and Safe mode.

1) a clean profile:
http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles

2) Safe mode:
http://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode

Comment 4

[Thomas Sisson]

(In reply to Mihai Morar, QA [:MarioMi] from comment #2)
I'm using 64-bit on Kubuntu 12.10 with 32-bit support and all backports enabled.

In case you ask why I don't upgrade to 13.04, I am currently stuck with 12.10 due a glitch. I believe it may partially involve the fact that the packages from the backports have newer dates than the Raring 13.04 packages.

I will install a nightly build per your instructions, test it, and get back to you soon.

My main concern is being sure that people do not receive too many Renego warnings and turn off this feature. I understand that no security feature is fool-proof, but this tool has great potential that will only work if it is not disabled.

Comment 5

[Mihai Morar, (:MihaiMorar)]

Is this issue still present following STR from Comment 3?

Comment 6

[Thomas Sisson]

I don't know what STR is, but I followed the instructions. It was not reproduced in a Beta with a fresh profile.

I reported it because I felt it was an issue. If it is something in my profile, resetting my profile is not the most desired solution. Instead, changing a value in about:config or removing the errant user_pref is the most desired solution. Unfortunately, documentation on the prefs.js file is quite out-of-date at mozillazine.org.

I will change the status to RESOLVED-WONTFIX because I suspect it is a bad preference setting. I hope that is all that it is. If I correct the issue, I will try to remember to post the solution so that others may fix their preferences as well.