Closed Bug 898402 Opened 12 years ago Closed 12 years ago

Inconsistent behavior on some of the Facebook apps

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
23 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sbadau, Unassigned)

Details

Mozilla/5.0 (Windows NT 5.1; rv:23.0) Gecko/20100101 Firefox/23.0 Build ID: 20130725195523 If security.mixed_content.block_display_content is set to true in about:config, some of the Facebook apps loose connection and can't be played. This behavior is only encountered on Firefox 23. On Firefox 24.0a2 and Firefox 25.0a1 I get an untrusted connection warning (regardless if the preference is set to true or false). Steps to reproduce: 1. Launch Firefox 23 2. Navigate to https://apps.facebook.com/playbuggle/index.php?type=tab_game or https://apps.facebook.com/playpengle/?fb_source=appcenter&fb_appcenter=1 3. Go to about:config and set "security.mixed_content.block_display" to true. 4. Reload the app opened in step 2. Actual results: The app loads for a while and after that I get the message that the connection was lost. As mentioned above this is the behavior seen on Firefox 23. If the pref "security.mixed_content.block_display_content" is left as it is on default (false) the game can be played. On Firefox 22, on the latest Nightly 25.0a1 and latest Aurora 24.0a2 I get the Unstrusted Connection Warning.
What is displayed in the security pane of the webconsole? It tells you what (if any) mixed content is blocked. Do you ever see the shield icon when you set the pref to true? If not, then that indicates that 1) there is no mixed active content on the page and the issue is because of something else. OR 2) there is an attempt to load mixed active content, but the shield doesn't show up. This would mean we have an implementation issue. In this case, also check if the webconsole security pane has output. If something shows up blocked there and you don't see the shield, we have an implementation issue.
Going to https://apps.facebook.com/playbuggle/index.php?type=tab_game in fresh Firefox 23.0 profile gives me an iframe with an untrusted cert error: buggle.cookapps.com uses an invalid security certificate. Same for https://apps.facebook.com/playpengle/?fb_source=appcenter&fb_appcenter=1 : pengle.cookapps.com uses an invalid security certificate. I'm personally not worried about causing mixed content issues for pages that have invalid certs. Also, I don't see a way to add an exception for the cert on these pages. In order to add an exception, I have to navigate a new tab to https://buggle.cookapps.com/ and store a temporary exception. Then when I go back to https://apps.facebook.com/playbuggle/index.php?type=tab_game I get a permissions screen. I accept the permissions. I am taken to https://apps.facebook.com/playbuggle/?state=4426d374b1898ff74b0d3a49bad96b08&code=AQAYA9L06bA8zAeg86XpItCs7NvludaWRNYFMhuoofqhIL8FVjIGYvmotkcLDRdIwxH0LAnpqnudvWOaW0tnqR33Z75KsNd3t-0dnmxJhxAYmkSBsHj5Kr4F0KvWCBH9wn8Ey58FW68kurr_nMcMC7hyWVY3WwOqsHSJVcHH1wwbgoTeTQoESza07AnnRP1gqgr6ZT6TU28SWJO7Gjsz-EV-XdBZqtTOuWMDnr1oWFturqFr3mnflFus5BjT4rXj1GJ79qkEEWp1gmpUidLnIptM5bmdfEptNNZgBE-MRseESVCuj3krownSiG659MM6uZ0#_=_ That page has mixed display content, but no mixed active content so nothing is blocked. I take a spin. I navigate to https://apps.facebook.com/playbuggle/index.php?type=tab_game. There is a new game to play now, and everything seems to work fine. In conclusion, the Firefox 23 profile you are using probably has a temporary or permanent cert exception. Firefox 24 and 25 probably don't, which is why you get the untrusted cert warning. After adding an exception, I don't see any mixed active content issues on the buggle game page. Hence, I don't think this is a mixed content bug. I'm not sure why you get the connection is lost message. If you get that in combination with the shield or blocked messages in the security pane of the Mixed Content Blocker, then it could be related to Mixed Content Blocker.
(In reply to Simona B [QA] from comment #0) > If security.mixed_content.block_display_content is set to true in > about:config, some of the Facebook apps loose connection and can't be > played. Ah! This is the problem. Firefox is not going to block mixed display content anytime in the near future. Setting security.mixed_content.block_display_content to true will certainly break facebook apps, and many other pages across the web. The Mixed Content Blocker in Firefox 23+ sets security.mixed_content.block_active_content to true by default. This will block mixed active loads (i.e scripts, objects, etc). Mixed Display loads (like images) will not be blocked by default (security.mixed_content.block_display_content remains false by default). For more information on the Mixed Content Blocker, please see here: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ Closing this bug as invalid, since we aren't blocking mixed display content.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.