900449 - https://www.ubuntu.si has active mixed content (iframe) that are blocked by the mixed content blocker

Status: RESOLVED FIXED

(Tech Evangelism Graveyard :: Slovenian, defect)

Description

[Stefan Baebler]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130729175331

Steps to reproduce:

Visited https://www.ubuntu.si/ with FireFox 23 (currently in beta)


Actual results:

An iframe content was blocked by mixed content blocker. Error console:
Blocked loading mixed active content "http://www.indiegogo.com/project/461046/widget"


Expected results:

These resources should be loaded via https 
(either by fixing the references on the site, or resolving Bug 776278)

Comment 1

[Tanvi Vyas[:tanvi]]

In Chrome 30+, this is blocked without a way for the user to override because ubuntu.si sets the STS header, and hence really should not have mixed content.

[blocked] The page at https://www.ubuntu.si/ ran insecure content from http://www.indiegogo.com/project/461046/widget.

Matt, can you check IE when you get a chance?  Thanks!

Comment 2

[Stefan Baebler]

Preventing mixed content based solely on presence of HSTS header would imply new meaning to the HSTS header, which is not standard (yet). See Bug 800098.

Web site maintainers notified via facebook:
https://www.facebook.com/UbuntuSlovenija/posts/599087090111616?comment_id=6678161
and email {andrejm,luka}@[site domain]

Comment 3

[Stefan Baebler]

The iframe src on the site was fixed (changed from http to https) a few minutes ago, satisfying the mixed content blocker.

Comment 4

[Tanvi Vyas[:tanvi]]

Thanks Stefan!