895574 - https://www.ea.com does not work properly because of mixed content blocking

Status: RESOLVED WORKSFORME

(Tech Evangelism Graveyard :: English US, defect)

Description

[Tanvi Vyas[:tanvi]]

+++ This bug was initially created as a clone of Bug #892810 +++

Mixed content blocking is a feature that prevents insecure elements on secure pages from loading. In Firefox 23, this feature will default to blocking "active" insecure content, which may break some web sites. 

More information on Firefox's Mixed Content Blocker is below: 
http://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/

The security feature is currently breaking the HTTPS version ea.com.  The following HTTP css and javascript content is Blocked:

Blocked loading mixed active content "http://web-static.ea.com/atlas/sw-combine/1374078725/459cb1dc4fa76b8c3948dfa4933b8890.css?v=1374078725" @ https://www.ea.com/
Blocked loading mixed active content "http://web-static.ea.com/atlas/sw-combine/1374078725/6f7f59608e57ea63b42b0b6cbd84b0e7.css?v=1374078725" @ https://www.ea.com/
Blocked loading mixed active content "http://web-static.ea.com/atlas/ui/skin/basiq/css/font-locator-klavika.css?v=12" @ https://www.ea.com/
Blocked loading mixed active content "http://fonts.ea.com/ipn3tud.js" @ https://www.ea.com/
Blocked loading mixed active content "http://web-static.ea.com/atlas/sw-combine/1374078725/aa9b219f67624074aa6ae611eb06bda0.js?v=1374078725" @ https://www.ea.com/
Blocked loading mixed active content "http://web-static.ea.com/atlas/sw-combine/1374078725/36a1a0d2fdf1f7ba7dcc49241f559ca1.js?v=1374078725" @ https://www.ea.com/
Blocked loading mixed active content "http://connect.facebook.net/en_US/all.js#xfbml=1" @ https://www.ea.com/
Blocked loading mixed active content "http://static.ak.fbcdn.net/connect.php/js/FB.Share" @ https://www.ea.com/
Blocked loading mixed active content "http://platform.twitter.com/widgets.js" @ https://www.ea.com/
Blocked loading mixed active content "http://display.digitalriver.com/?aid=244&tax=eapmg" @ https://www.ea.com/
Blocked loading mixed active content "http://resources.ea.com/omniture/utils.js" @ https://www.ea.com/
Blocked loading mixed active content "http://resources.ea.com/omniture/s_code_remote_v02.js" @ https://www.ea.com/
Blocked loading mixed active content "http://resources.ea.com/omniture/omniture_wrapper.js" @ https://www.ea.com/


This issue should also exist for your IE and Chrome users (although I have not confirmed on IE).

To fix this security issue, serve the content over HTTPS and change the link in the HTML source to point to the https:// version of the content.

This was originally reported by a user in bug https://bugzilla.mozilla.org/show_bug.cgi?id=844556#c29

Comment 1

[Tanvi Vyas[:tanvi]]

Matt, can you test this in IE?

Comment 2

[Matt Wobensmith [:mwobensmith][:matt:]]

SSL cert error on IE10.

Comment 3

[Tanvi Vyas[:tanvi]]

Looks like they made some change today and now the affected url is https://www.ea.com.  The cert isn't valid for https://ea.com.  Matt, can you check the www domain on IE?

Comment 4

[Matt Wobensmith [:mwobensmith][:matt:]]

Using https://www.ea.com I do indeed see a mixed content warning in IE10.

Comment 5

[Lukas Blakk [:lsblakk] use ?needinfo]

Tweeted to them about this bug (while waiting to try and find a proper contact) https://twitter.com/lsblakk/status/358322510401519616

Comment 6

[Adam Stevenson [:adamopenweb]]

Looks like they have fixed it, kinda.

http -h GET https://www.ea.com User-Agent:'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:29.0) Gecko/20100101 Firefox/29.0'
HTTP/1.1 301 Moved Permanently
Location: http://www.ea.com/