Open Bug 893533 Opened 6 years ago Updated 4 years ago

No indication when mixed passive content is blocked: insecure images correctly don't load (security.mixed_content.block_display_content is true) but the 'Mixed Content' icon is not displayed

Categories

(Firefox :: Security, defect)

defect
Not set

Tracking

()

People

(Reporter: f201052, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: helpwanted)

Attachments

(3 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0 (Beta/Release)
Build ID: 20130618035212

Steps to reproduce:

0. Set your Firefox 22.0 as follows:
- security.warn_viewing_mixed  true
- security.mixed_content.block_display_content  true
- security.mixed_content.block_active_content  true
- security.warn_viewing_mixed.show_once  false	 (this is probably a deprecated option but i still have it there)

1. Visit non-HTTPS version of this site at http://www.alza.cz (it's the biggest e-shop in Czech republic)

2. Visit the same site again but this time the HTTPS version: https://www.alza.cz




Actual results:

The images in the central part of the webpage correctly disappeared in the HTTPS version because they are served from non-HTTPS URLs.(and security.mixed_content.block_display_content is true).

The problem is that the 'Mixed Content' icon was not shown next to the padlock icon (even though it is normally shown for me in such cases on other sites).


Expected results:

The 'Mixed Content' icon should have been shown next to the padlock icon.
Mixed content blocking has been improved in FF23 and higher. You should download Beta and Aurora and test again with a clean profile.
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

Does it work as expected?
Flags: needinfo?(f201052)
Sorry, but I am not your tester.
Flags: needinfo?(f201052)
Oh, and I consider the words "You should" to be plainly rude in the given context. Next time try something more polite, such as "Could you please".

Finally, I am a user, and as such I install only stable versions. Not unstable. Testers install unstable versions. Mozilla Corporation gets millions of dollars from Google, it _should_ pay its testers.
It wasn't my aim to be rude. In general, users reporting issues to BMO are aware to test beta/aurora/nightly versions to see if it's reproducible/already fixed/improved or old versions to know if it has regressed somewhere.
Of course, if you don't want to be cooperative, that's your choice, but don't expect to get fast help/response/fix.

In addition, beta or aurora are not instable, on the contrary of the popular belief.
And as simple user, maybe you *should* post on SUMO instead of BMO.
https://support.mozilla.org/en-US/questions
Confirmed with 2013-07-15-03-02-02-mozilla-central-firefox-25.0a1.ru.linux-x86_64
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Windows 7 → All
Summary: Insecure images correctly don't load (security.mixed_content.block_display_content is true) but the 'Mixed Content' icon is not displayed → No indication when mixed passive content is blocked: insecure images correctly don't load (security.mixed_content.block_display_content is true) but the 'Mixed Content' icon is not displayed
This is expected behavior.  See https://bugzilla.mozilla.org/show_bug.cgi?id=880526#c29 for a detailed description:

(In reply to Tanvi Vyas [:tanvi] from comment #29)
> The Mixed Content Blocker has been so far designed to block active content. 
> If you also block display, you will encounter the following situations:
> * If you are on a page with just Mixed Active Content, you will see the
> shield icon and the padlock.  You can click the shield to disable
> protection.  ex: https://people.mozilla.com/~tvyas/mixedcontent.html
> * If you are on a page with just Mixed Display Content, you will see the
> padlock (since you have blocked the display content) but you will not see
> the Mixed Content Blocker Shield.  If you decide you want to view the image,
> you have to go to about:config and change the setting, reload the page, and
> then change the setting back.  There is also an addon that makes this easier
> for you. ex: https://people.mozilla.com/~tvyas/mixeddisplay.html
> * if you are on a page with both Mixed Active and Mixed Display Content, all
> the mixed content will be blocked (since you have enabled both prefs) and
> you will see the Shield and the padlock.  If you disable protection, all
> mixed content will load.  ex:
> https://people.mozilla.com/~tvyas/mixedboth.html
Although it is something that is expected so far, this is a valid feature request to provide some UI for blocked Mixed Display case.
(In reply to Tanvi Vyas [:tanvi] from comment #7)
> Although it is something that is expected so far, this is a valid feature
> request to provide some UI for blocked Mixed Display case.

We aren't sure how many users would decide to do this, so initially we didn't implement a UI for it.  Note that there is an addon that can might be able to help with this in the meantime (although I haven't tried it out yet) and it hasn't been vetted/approved by the AMO (addons.mozilla.org) team yet: https://addons.mozilla.org/en-US/firefox/addon/toggle-mixed-display-conten/?src=userprofile
Keywords: helpwanted
I just run in this issue and it's quiet bad, that there is no way to temporary whitelist the site. I expected, that the same UI as I see with mixed content shows up.
To Workaround this, I had to go back to unsecured http. That's a *really* bad workaround.

If there is a blocked active content to, the UI shows up and I'm able to disable the protection for both, active and passive content. So the change for this shouldn't be that hard, isn't it?
Attached patch Bug893533-04-06-15.patch (obsolete) — Splinter Review
Offers the shield override option for users who choose to block mixed display content.

This makes blocking mixed display a more usable option.
Attachment #8588826 - Flags: review?(dolske)
Comment on attachment 8588826 [details] [diff] [review]
Bug893533-04-06-15.patch

Review of attachment 8588826 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM.
Attachment #8588826 - Flags: review?(dolske) → review+
The attached patch doesn't account for when:
* mixed active content has blocked
* mixed display content has loaded 
* the pref to disable mixed display content is set to false.

In that case, we show a crossed out shield when we should show a regular shield:
example https://people.mozilla.com/~tvyas/mixedboth.html

Modifying it to catch that case by checking the pref value.

Also added a couple lines of comments.
Attachment #8588826 - Attachment is obsolete: true
Attachment #8602853 - Flags: review?(dolske)
Comment on attachment 8602853 [details] [diff] [review]
Bug893533-05-07-15.patch

Review of attachment 8602853 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry for the delay here.
Attachment #8602853 - Flags: review?(dolske) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/446ce38d0005 - browser-chrome said https://treeherder.mozilla.org/logviewer.html#?job_id=9983234&repo=mozilla-inbound and devtools said https://treeherder.mozilla.org/logviewer.html#?job_id=9982997&repo=mozilla-inbound

Your commit message also had the bug number typoed, so if you start in on fixing it by qimporting, you'll want to fix that.
Tanvi,
Is it planned to continue here?
Flags: needinfo?(tanvi)
Hardware: x86_64 → All
Version: 22 Branch → Trunk
(In reply to sjw from comment #16)
> Tanvi,
> Is it planned to continue here?

Yes.  I haven't had a chance to go over the broken tests and fix this.  Moreover, the Mixed Content UI is drastically changing right now, with the changes for Firefox 42 and Control Center.  If I do fix this now, I'll likely cause a bit of extra work for the team working on Control Center and they only have one week to go.  I think we should wait for the Control Center changes to finish up this week (and probably next) and then start refactoring the patch here.  If someone else would like to volunteer to take this on, I am happy to mentor, as I don't have the bandwidth to fix this bug for a while.
Flags: needinfo?(tanvi)
There is a shield indicator, and it works for whitelisting the page, but it only appears "randomly". I assumed that it was a bug that it didn't always appear. After reading this bug, the bug may be that it appears at all. In any case, I think the solution is to show it always :)

Steps to reproduce (FF 41.0.2):
Set security.mixed_content.block_display_content to true
Browse to https://blog.mozilla.org/faaborg/2007/03/06/would-you-like-to-redesign-notification-in-firefox-yes-not-now-never/

The images of this old post will be blocked.

The url doesn't show the shield from which they could be unblocked.

Now follow a link, and navigate back. _Sometimes_ you will get the shield with the «Firefox is blocking content» message, and the option to disable it (which does work).
Screenshot of the initial page load
Screenshot of the shield being shown
(In reply to Ángel from comment #18)
> There is a shield indicator, and it works for whitelisting the page, but it
> only appears "randomly". I assumed that it was a bug that it didn't always
> appear. After reading this bug, the bug may be that it appears at all. In
> any case, I think the solution is to show it always :)
> 
> Steps to reproduce (FF 41.0.2):
> Set security.mixed_content.block_display_content to true
> Browse to
> https://blog.mozilla.org/faaborg/2007/03/06/would-you-like-to-redesign-
> notification-in-firefox-yes-not-now-never/
> 
> The images of this old post will be blocked.
> 
> The url doesn't show the shield from which they could be unblocked.
> 
> Now follow a link, and navigate back. _Sometimes_ you will get the shield
> with the «Firefox is blocking content» message, and the option to disable it
> (which does work).



We don't have full override support for mixed passive content blocking.

If you go to about:config and change the pref security.mixed_content.block_display_content to true, then mixed passive content will be blocked with your browser in addition to mixed active content (security.mixed_content.block_active_content = true by default).

When mixed active content attempts to load on a page, the browser blocks it and provides the user with an override to "disable protection".  Disabling protection will allow all forms of mixed content to load - passive and active.  So if you block mixed passive, that will get loaded after you trigger the override.

When mixed passive content attempts to load on a page and the browser blocks it (because the user has changed their preferences to block mixed passive content) the browser does not provide an override.  If there is mixed active content on the page as well, you will see the override as explained in the previous paragraph.  This may be why the override seems to appear randomly for you.  This bug is to add an override capability for those users who decide to disable mixed passive content in their about:config preferences, to make mixed display blocking a more usable feature.

When I go to https://blog.mozilla.org/faaborg/2007/03/06/would-you-like-to-redesign-notification-in-firefox-yes-not-now-never/ I see in the webconsole:
Blocked loading mixed active content "http://i0.wp.com/path_to_url"[Learn More]
along with a lock of blocked mixed display content messages.

If the mixed active resource doesn't attempt to load on the page, you won't see the override.
You need to log in before you can comment on or make changes to this bug.