Closed Bug 906447 Opened 12 years ago Closed 11 years ago

Regression: mixed-content blocking not obvious

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
23 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: tj.iam.tj, Unassigned)

References

Details

Attachments

(3 files)

Firefox_v23_missing_mixed_content_warning.jpg
122.59 KB, image/jpeg
Details
FF23-ShieldIcon-MixedActiveContent.png
179.42 KB, image/png
Details
484720_496178543783498_1263f380660_n.jpg
273.14 KB, image/jpeg
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Build ID: 20130803192641 Steps to reproduce: Created a simple static HTML5 web-page containing two unnamed iframes. The first sources a HTML page from a third-party site, the second a YouTube video. The page is hosted at https://iam.tj/projects/hacking/101/index.html Actual results: When viewed with Firefox 23 on Ubuntu 13.04 or Windows 7 64-bit both iframes show the YouTube video. Expected results: Each iframe should display its own source content. Firefox 22 on Windows 7 64-bit also shows the correct content. Chrome and Chromium both display the correct content.
What is strangish is that when the page is loaded locally using the file:// protocol the first iframe shows the HTML content correct, but the 2nd frame fails to find/load the Youtube site.
When I load that page, the first iframe is blank because it's being blocked by the mixed content blocker. This is a new feature in Firefox 23. See https://blog.mozilla.org/security/2013/06/27/mixed-content-blocker-hits-firefox-beta/ for more information. I can't reproduce the first iframe also showing the Youtube video. That sounds very strange. Could you attach a screenshot of how the page looks when you load it?
OK, caught out by the enabling, as the default, of mixed content blocking as per https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/ However, this is a regression and one that many users might not figure out. In the case of my example the page is hosted on an HTTPS-only server. The content in the iframe is on a an HTTP-only server. This scenario makes the page author powerless to 'fix' the regression in the user experience. There is no Javascript in either URL content. The shield icon in the address bar wasn't obvious or eye-catching and wasn't seen until the blog post that describes it was read. At the least the browser should show a pop-up.
(In reply to mjh563 from comment #2) > When I load that page, the first iframe is blank because it's being blocked > by the mixed content blocker. My discovery of that crossed with your posting. > > I can't reproduce the first iframe also showing the Youtube video. That > sounds very strange. Could you attach a screenshot of how the page looks > when you load it? It doesn't seem to want to show it that way anymore. I just see the empty iframe. I did close and reopen the browser (on Ubuntu) to confirm it wasn't some transient rendering glitch when it occurred though.
(In reply to TJ from comment #3) > The shield icon in the address bar wasn't obvious or eye-catching and wasn't > seen until the blog post that describes it was read. At the least the > browser should show a pop-up. I agree, the shield is not obvious at all. The first time I came across a page with some mixed content blocked, I didn't even notice it until I'd spent some time trying to work out why the page wasn't loading properly (including restarting in safe mode).
It's interesting that Chrome does load the iframe though. Is Firefox's mixed content blocker supposed to be stricter than Chrome's?
Blocks: MixedContentBlocker
Component: Untriaged → Security
Product: Firefox → Core
Hi TJ, Thanks for your report! You have in fact hit on a number of things we are discussing for Mixed Content Blocking. * IE and Firefox block Mixed Content frames. Chrome doesn't yet, but will soon (Chrome 30). Some reasoning behind this can be found here: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#Mixed_Content_Frames * The UI for the Mixed Content Blocker is a shield in the location bar. We decided not to show the doorhanger that pops open when you click the shield automatically, because we didn't want to interrupt the user's work flow. (Mixed content blocking doesn't always mean a page is broken / not functional; it could just mean that an ad is missing.) But, the since the shield is grey and doesn't have any animation or anything, it can be difficult to discover. There is a bug filed for making the Mixed Content Shield more discoverable and the UX team is working on some mock ups: https://bugzilla.mozilla.org/show_bug.cgi?id=834828 * The file:// protocol is a local resource, so should not be blocked by the Mixed Content Blocker. * Often HTTPS websites want to embed third party frames that may not have an HTTPS version available. One option we are considering is implementing a work around if the iframe is sandboxed. This would reduce the threat of the mixed content iframe. See bug https://bugzilla.mozilla.org/show_bug.cgi?id=903211
@Tanyi, would it be at all feasible to treat localhost as a local resource as well, or is that too much of a security risk? I have clients with legacy client-side servers for special label printers and the like, and it would be great to not have to go through the self-signed cert dance with users.
localhost doesn't pose a MITM danger but is it common enough to be worth creating an exception mechanism? Running such services on localhost is a terribly dangerous idea: they typically weren't made to be robust enough to be put on the public internet, and the browser acts as a bridge allowing any page to attempt to abuse them. Your only protection is security through obscurity -- that's why we've toyed with the idea of blocking localhost and other rfc1918 addresses (bug 354493). That said, given that such services _are_ being used it might be better to special-case localhost than invent a whitelisting feature. If people whitelist their localhost-using sites then they are unprotected from actual mixed-active content should the page have both sources, or if mixed-script content is added in the future. on the other hand who are we kidding? People are going to whitelist the site anyway to "get it to work".
@Daniel: that's precisely it. I'm no expert, so I'll leave it up to those who are, but I'd much rather not risk clients making the situation worse by whitelisting incorrectly (or worse, disabling the whole mixed-content subsystem, as they're doing now in our test-runs). If the current situation is not improved enough to justify that risk, then is it really worth blocking mixed content on localhost? I wouldn't know. I do know that the self-signed certificate warning notices scare people even more, so this is really a no-win scenario for us unless we can find the time to create a plugin that does what those localhost services do. And I'm not sure that'll be all that much safer for the clients anyhow.
Follow-up after my partner was bitten by the same issue whilst using a student union site to sign up for his new university freshers week. The student union site calls upon the university's SSO service to verify his student ID, and although the majority of the site is using HTTPS, one particular background AJAX script uses HTTP. It manifests as an obscure site error report with no mixed-content shield or any other warning as to the blocked mixed content. He had been having problems since last week and assumed it was a transient site issue but it was only today when we tried it from my PC (Linux + FF v23 with blocking disabled) and it worked that I remembered this mixed-content blocker and identified the reason for the site failing was the recent upgrade to FF v23 on his Windows 7 PC. So, this new default is definitely causing regressions in behaviour and even for those of us aware of mixed content blocking, it is not always obviously the cause, as in this case.
Summary: multiple iframes in HTML5 page show the same source → Regression: mixed-content blocking not obvious
(In reply to TJ from comment #12) > Follow-up after my partner was bitten by the same issue whilst using a > student union site to sign up for his new university freshers week. The > student union site calls upon the university's SSO service to verify his > student ID, and although the majority of the site is using HTTPS, one > particular background AJAX script uses HTTP. > > It manifests as an obscure site error report with no mixed-content shield or > any other warning as to the blocked mixed content. He had been having > problems since last week and assumed it was a transient site issue but it > was only today when we tried it from my PC (Linux + FF v23 with blocking > disabled) and it worked that I remembered this mixed-content blocker and > identified the reason for the site failing was the recent upgrade to FF v23 > on his Windows 7 PC. > > So, this new default is definitely causing regressions in behaviour and even > for those of us aware of mixed content blocking, it is not always obviously > the cause, as in this case. Hi TJ, Do you happen to have the url of the website? Along with the sheild discoverability issues (https://bugzilla.mozilla.org/show_bug.cgi?id=834828), are you also reporting that the sheild icon doesn't show up at all on FF23 with Windows 7? Mihai, can you verify that when you go to https://people.mozilla.com/~tvyas/mixedcontent.html on FF23 using Windows 7 that you see the shield icon?
QA Contact: mihai.morar
Unfortunately the site only fails when the SSO log-in is returning from a valid student ID being entered - if an incorrect entry is made the log-in page re-displays on the SSO server, so I can't provide you with a way to replicate it. However, the lack of shield isn't limited to Windows Firefox v23. On Linux too the same issue occurs when I re-enabled mixed-content blocking by default. The failure in the security console is: [14:24:08.745] GET http://www.trentstudents.org/users/auth/shibboleth/callback [Mixed Content][HTTP/1.0 302 Moved Temporarily 93ms]
Hi TJ, The failure above and in the picture shows a 302 to another destination. It doesn't show that any content was blocked, but instead that it was allowed, a load was attempted and the load got a 302 back from the server. If content was blocked by the Mixed Content Blocker, it would look like this in the security pane of the webconsole: https://mdn.mozillademos.org/files/5261/blocked-mixed-content-errors.png Since it doesn't appear that the Mixed Content Blocker was invoked, it would explain why there is no shield. However, maybe there is something I am missing here. When you have the about:config pref for security.mixed_content.block_active_content set to false, does the login succeed? And with security.mixed_content.block_active_content set to true, does the login fail? If yes, does the shield icon appear in this case?
Tanvi, that is strange! We begin the hand-off by clicking through the Student Login at: https://www.trentstudents.org/users/sign_in Before each session cookies were deleted for both domains and browser restarted. Log-in fails with security.mixed_content.block_active_content == true [00:13:53.119] GET https://www.trentstudents.org/users/sign_in [HTTP/1.1 200 554ms] [00:13:53.564] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/application_student_view-7ae86b26d69d8fc101a99aa5fb6b98f6.css [HTTP/1.1 304 Not Modified 51ms] [00:13:53.565] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/print-ff78fcc6b3c2deb69ea6ddcc9c3e8a76.css [HTTP/1.1 304 Not Modified 54ms] [00:13:53.566] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/authentication-a51b3f6e1336663eb5098a9cd87d105b.css [HTTP/1.1 304 Not Modified 57ms] [00:13:53.566] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/core-4e0e7c73195dffb5a500ae38ae6e73ef.js [HTTP/1.1 304 Not Modified 62ms] [00:13:53.567] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/stylesheets/style.css [HTTP/1.1 304 Not Modified 87ms] [00:13:53.568] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/javascripts/union.js [HTTP/1.1 304 Not Modified 86ms] [00:13:53.569] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/calenderui-e3553c6669cb35b7a0d77972033421a9.js [HTTP/1.1 304 Not Modified 101ms] [00:13:54.040] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/application_student_view-b66ef434dc142cf78ba51342eeb60514.js [HTTP/1.1 304 Not Modified 53ms] [00:13:54.041] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/registration-7e9d3f5cc4d853f2da4c02dc7c96a86c.js [HTTP/1.1 304 Not Modified 53ms] [00:13:54.273] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5568/original/STUDENT_LOGIN_btn%20.png [HTTP/1.0 304 Not Modified 231ms] [00:13:54.277] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5061/original/NTSU_FB.png [HTTP/1.0 304 Not Modified 229ms] [00:13:54.278] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5062/original/NTSU_TW.png [HTTP/1.0 304 Not Modified 220ms] [00:13:54.279] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5063/original/NTSU_YT.png [HTTP/1.0 304 Not Modified 213ms] [00:13:54.280] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5064/original/ENTS_FB.png [HTTP/1.0 304 Not Modified 217ms] [00:13:54.280] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5065/original/ENTS_TW.png [HTTP/1.0 304 Not Modified 207ms] [00:13:54.281] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5066/original/FRESH_FB.png [HTTP/1.0 304 Not Modified 286ms] [00:13:54.282] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5067/original/HALLS_FB.png [HTTP/1.0 304 Not Modified 283ms] [00:13:54.283] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5068/original/RAG_FB.png [HTTP/1.0 304 Not Modified 292ms] [00:13:54.284] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5069/original/RAG_TW.png [HTTP/1.0 304 Not Modified 291ms] [00:13:54.285] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5070/original/SOCS_FB.png [HTTP/1.0 304 Not Modified 302ms] [00:13:54.286] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5071/original/SOCS_TW.png [HTTP/1.0 304 Not Modified 301ms] [00:13:54.287] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/transparent-bg.png [HTTP/1.1 304 Not Modified 55ms] [00:13:54.288] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/unioncloud-logo.png [HTTP/1.1 304 Not Modified 62ms] [00:13:54.289] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/default/search-image.png [HTTP/1.1 304 Not Modified 63ms] [00:13:54.289] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-voice.png [HTTP/1.1 304 Not Modified 68ms] [00:13:54.290] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-ents.png [HTTP/1.1 304 Not Modified 79ms] [00:13:54.291] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-adv.png [HTTP/1.1 304 Not Modified 80ms] [00:13:54.292] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-act.png [HTTP/1.1 304 Not Modified 107ms] [00:13:54.293] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-emp.png [HTTP/1.1 304 Not Modified 118ms] [00:13:54.293] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-demo.png [HTTP/1.1 304 Not Modified 131ms] [00:13:54.294] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-eng.png [HTTP/1.1 304 Not Modified 119ms] [00:13:54.295] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-sport-icon.png [HTTP/1.1 304 Not Modified 146ms] [00:13:54.296] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/breadcrumb-icon.png [HTTP/1.1 304 Not Modified 125ms] [00:13:54.297] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/breadcrumbs-arrow.gif [HTTP/1.1 304 Not Modified 185ms] [00:13:54.297] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/default/highlight-buttons.png [HTTP/1.1 304 Not Modified 176ms] [00:13:54.298] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/nus-digital-logo.png [HTTP/1.1 304 Not Modified 186ms] [00:13:54.299] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/footer-bullets.png [HTTP/1.1 304 Not Modified 194ms] [00:13:54.300] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/nott-backdrop.jpg [HTTP/1.1 304 Not Modified 247ms] [00:13:54.617] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/javascripts/union.js [HTTP/1.1 304 Not Modified 53ms] [00:13:54.673] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/calenderui-e3553c6669cb35b7a0d77972033421a9.js [HTTP/1.1 304 Not Modified 75ms] [00:13:55.076] GET https://www.trentstudents.org/pages/enable_cms_to_edit?on_off_button=&_=1378854834785 [HTTP/1.1 302 212ms] [00:13:55.080] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/default/tip-twitter_arrows.gif [HTTP/1.1 304 Not Modified 48ms] -- [00:14:06.658] GET https://www.trentstudents.org/users/auth/shibboleth [HTTP/1.1 302 Found 196ms] [00:14:06.921] GET https://shib2idp.ntu.ac.uk/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLLbsIwEEV%2FJfKeOHEQD4sgUVgUiRZE0i66qRxnAKvGTj12af%2B%2B4dGWblhZ9ty5d%2BbIIxR73fBJ8DuzhvcA6KPPvTbIT4WcBGe4FaiQG7EH5F7yYvKw4CxOeOOst9JqEk0QwXllzdQaDHtwBbgPJeFpvcjJzvsGOaWHwyH2DoxHH%2BrjEVu3pcVOVZXV4HcxoqVHc0ZXy6Ik0aydRhlx9P1zwVbPVN3ExodYyDi80fZG21k2SsOlfw21ciA9LYolieaznLz2oB70WZKwYVaxetPvJUPZEyLtStbNhvWglSEGmBv0wvicsCTNOsmwkyYly3ja5Un%2FhUSry8p3ytTKbG%2Fzqc4i5Pdlueqcd3oGh6d9WgEZj46U%2BSnYXXG%2FbSt%2BYJPxNdpg2iepbahPXPGX64hepZwjG%2F7Y2s5nK6uV%2FIomWtvD1IHwkJOU0PG55f%2B%2FGH8D&RelayState=ss%3Amem%3Aa5efbd309eb460256a6a1b473f8dd8ebe14aceb305b3b2df28da8988db4844fb [HTTP/1.1 302 Moved Temporarily 128ms] [00:14:07.058] GET https://shib2idp.ntu.ac.uk/idp/AuthnEngine [HTTP/1.1 302 Moved Temporarily 56ms] [00:14:07.133] GET https://shib2idp.ntu.ac.uk/idp/Authn/RemoteUser [HTTP/1.1 302 Moved Temporarily 44ms] [00:14:07.134] GET https://shib2idp.ntu.ac.uk/cas/login?service=https%3A%2F%2Fshib2idp.ntu.ac.uk%2Fidp%2FAuthn%2FRemoteUser [HTTP/1.1 200 OK 89ms] -- [00:14:36.414] POST https://shib2idp.ntu.ac.uk/cas/login;jsessionid=38DEB5CEE651E9D7962C8C06780BFE3E?service=https%3A%2F%2Fshib2idp.ntu.ac.uk%2Fidp%2FAuthn%2FRemoteUser [HTTP/1.1 302 Moved Temporarily 668ms] [00:14:37.129] GET https://shib2idp.ntu.ac.uk/idp/Authn/RemoteUser?ticket=ST-69613-KxbbxBOoiXsR19sxDbTR-cas [HTTP/1.1 302 Moved Temporarily 58ms] [00:14:37.279] GET https://shib2idp.ntu.ac.uk/idp/profile/SAML2/Redirect/SSO [HTTP/1.1 200 OK 500ms] [00:14:37.896] POST https://www.trentstudents.org/Shibboleth.sso/SAML2/POST [HTTP/1.1 302 Found 350ms] [00:14:38.252] GET https://www.trentstudents.org/users/auth/shibboleth [HTTP/1.1 302 149ms] [00:14:38.411] GET https://www.trentstudents.org/users/auth/shibboleth/callback [HTTP/1.1 302 151ms] [00:14:38.576] GET http://www.trentstudents.org/users/auth/shibboleth/callback [HTTP/1.0 302 Moved Temporarily 167ms] [00:14:38.755] GET https://shib2idp.ntu.ac.uk/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLBbsIwEER%2FJfKdOCS0IRZBonAoEi2I0B56qUyygFVjp167tH9fJ4GKXjhZ9s7O7D55hPwoazZx9qDW8OkAbfB9lApZW8iJM4ppjgKZ4kdAZktWTJ4WLA4jVhttdaklCSaIYKzQaqoVuiOYAsyXKOFlvcjJwdqaUXo6nUJrQFm0rmqOUJs9LQ5iu9US7CFE1LTxjulqWWxIMPPDCMUb284EvQt6fSyqOlTWhbwM3Qf1N%2BpH2QkJ5%2F41VMJAaWlRLEkwn%2BXkvbzj0e4%2BTTM%2BzKKoGsbpgKdZUiUJT1IYZF6G6GCu0HJlcxJH%2FaQXZb1%2BtIkT1h%2BwJHsjweq88YNQlVD723i2nQjZ42az6nU7vYLBdh8vIONRA5m1weYK%2B21bfmFNxhcoDVqn%2FFMptatarvjHdUSvUrrImj172%2FlspaUof4KJlPo0NcAt5KRP6Lhr%2Bf8txr8%3D&RelayState=ss%3Amem%3A36758643c39a30bfce020c8afcd412d8bd4f31242a75dcd67bf5daa7c0e02b6a [HTTP/1.1 302 Moved Temporarily 72ms] [00:14:38.858] GET https://shib2idp.ntu.ac.uk/idp/AuthnEngine [HTTP/1.1 302 Moved Temporarily 43ms] [00:14:38.924] GET https://shib2idp.ntu.ac.uk/idp/profile/SAML2/Redirect/SSO [HTTP/1.1 200 OK 49ms] [00:14:39.081] GET https://shib2idp.ntu.ac.uk/idp/images/logo.jpg [HTTP/1.1 200 OK 117ms] Log-in succeeds with: security.mixed_content.block_active_content == false [00:18:28.112] GET https://www.trentstudents.org/users/sign_in [HTTP/1.1 200 486ms] [00:18:28.554] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/application_student_view-7ae86b26d69d8fc101a99aa5fb6b98f6.css [HTTP/1.1 304 Not Modified 106ms] [00:18:28.556] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/print-ff78fcc6b3c2deb69ea6ddcc9c3e8a76.css [HTTP/1.1 304 Not Modified 111ms] [00:18:28.557] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/authentication-a51b3f6e1336663eb5098a9cd87d105b.css [HTTP/1.1 304 Not Modified 137ms] [00:18:28.558] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/core-4e0e7c73195dffb5a500ae38ae6e73ef.js [HTTP/1.1 304 Not Modified 149ms] [00:18:28.559] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/stylesheets/style.css [HTTP/1.1 304 Not Modified 165ms] [00:18:28.561] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/javascripts/union.js [HTTP/1.1 304 Not Modified 156ms] [00:18:28.562] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/calenderui-e3553c6669cb35b7a0d77972033421a9.js [HTTP/1.1 304 Not Modified 156ms] [00:18:28.629] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/application_student_view-b66ef434dc142cf78ba51342eeb60514.js [HTTP/1.1 304 Not Modified 177ms] [00:18:28.632] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/registration-7e9d3f5cc4d853f2da4c02dc7c96a86c.js [HTTP/1.1 304 Not Modified 172ms] [00:18:29.379] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/nott-backdrop.jpg [HTTP/1.1 304 Not Modified 56ms] [00:18:29.381] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5568/original/STUDENT_LOGIN_btn%20.png [HTTP/1.0 304 Not Modified 157ms] [00:18:29.382] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5061/original/NTSU_FB.png [HTTP/1.0 304 Not Modified 157ms] [00:18:29.383] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5062/original/NTSU_TW.png [HTTP/1.0 304 Not Modified 151ms] [00:18:29.383] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5063/original/NTSU_YT.png [HTTP/1.0 304 Not Modified 160ms] [00:18:29.384] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5064/original/ENTS_FB.png [HTTP/1.0 304 Not Modified 141ms] [00:18:29.385] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5065/original/ENTS_TW.png [HTTP/1.0 304 Not Modified 135ms] [00:18:29.386] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5066/original/FRESH_FB.png [HTTP/1.0 304 Not Modified 218ms] [00:18:29.387] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5067/original/HALLS_FB.png [HTTP/1.0 304 Not Modified 225ms] [00:18:29.388] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5068/original/RAG_FB.png [HTTP/1.0 304 Not Modified 234ms] [00:18:29.389] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5069/original/RAG_TW.png [HTTP/1.0 304 Not Modified 242ms] [00:18:29.390] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5070/original/SOCS_FB.png [HTTP/1.0 304 Not Modified 249ms] [00:18:29.391] GET http://s3-eu-west-1.amazonaws.com/nusdigital/image/images/5071/original/SOCS_TW.png [HTTP/1.0 304 Not Modified 248ms] [00:18:29.503] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/transparent-bg.png [HTTP/1.1 304 Not Modified 63ms] [00:18:29.506] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/unioncloud-logo.png [HTTP/1.1 304 Not Modified 83ms] [00:18:29.509] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/default/search-image.png [HTTP/1.1 304 Not Modified 59ms] [00:18:29.510] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-voice.png [HTTP/1.1 304 Not Modified 84ms] [00:18:29.510] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-ents.png [HTTP/1.1 304 Not Modified 75ms] [00:18:29.511] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-adv.png [HTTP/1.1 304 Not Modified 103ms] [00:18:29.512] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-act.png [HTTP/1.1 304 Not Modified 138ms] [00:18:29.513] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-emp.png [HTTP/1.1 304 Not Modified 173ms] [00:18:29.514] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-demo.png [HTTP/1.1 304 Not Modified 168ms] [00:18:29.514] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-stu-eng.png [HTTP/1.1 304 Not Modified 180ms] [00:18:29.515] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/ntsu-sport-icon.png [HTTP/1.1 304 Not Modified 215ms] [00:18:29.516] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/breadcrumb-icon.png [HTTP/1.1 304 Not Modified 238ms] [00:18:29.517] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/breadcrumbs-arrow.gif [HTTP/1.1 304 Not Modified 234ms] [00:18:29.518] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/default/highlight-buttons.png [HTTP/1.1 304 Not Modified 251ms] [00:18:29.518] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/nus-digital-logo.png [HTTP/1.1 304 Not Modified 279ms] [00:18:29.519] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/images/footer-bullets.png [HTTP/1.1 304 Not Modified 286ms] [00:18:29.520] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/javascripts/union.js [HTTP/1.1 304 Not Modified 118ms] [00:18:30.439] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/calenderui-e3553c6669cb35b7a0d77972033421a9.js [HTTP/1.1 304 Not Modified 52ms] [00:18:30.618] GET https://www.trentstudents.org/pages/enable_cms_to_edit?on_off_button=&_=1378855110261 [HTTP/1.1 302 192ms] [00:18:30.621] GET https://nus-production-assets.s3-eu-west-1.amazonaws.com/assets/default/tip-twitter_arrows.gif [HTTP/1.1 304 Not Modified 77ms] [00:18:30.946] GET https://www.trentstudents.org/users/auth/shibboleth [HTTP/1.1 302 Found 48ms] [00:18:31.061] GET https://shib2idp.ntu.ac.uk/idp/profile/SAML2/Redirect/SSO?SAMLRequest=fZLLTsMwEEV%2FJfK%2BcR6iBKuJFNoFlQpETWDBBjnJtLFw7OCxKfw96QMom64se%2B7cO3PkGfJeDix3tlNreHeA1vvspUJ2KKTEGcU0R4FM8R6Q2YaV%2Bf2KRX7ABqOtbrQkXo4Ixgqt5lqh68GUYD5EA0%2FrVUo6awdklO52O98aUBata%2FeHr82Wlp2oay3Bdj6ipnvziBaPZUW8xTiNUHzv%2B%2BeCoz4S7eAr63ze%2BO6Njjc6zrIREk79a2iFgcbSsnwk3nKRklcOSdxCE7TJ9RVvaw48CDdJXNcQTKdhHY4yRAdLhZYrm5IoCONJcDMJgyqKWZiwOHohXnFa%2BVaoVqjtZT71UYTsrqqKyXGnZzB42GcUkGy2p8wOweaM%2B2Vb%2FgObZOdonRqfGqlde%2BCKv1xn9CzlGDmwh9F2uSi0FM2Xl0upd3MD3EJKQkKzY8v%2Ff5F9Aw%3D%3D&RelayState=ss%3Amem%3A4a960aa4d93152c73b18ab3a72b320e9311a5275e9e0069383bf65d41fbc97e5 [HTTP/1.1 302 Moved Temporarily 408ms] [00:18:31.474] GET https://shib2idp.ntu.ac.uk/idp/AuthnEngine [HTTP/1.1 302 Moved Temporarily 58ms] [00:18:31.566] GET https://shib2idp.ntu.ac.uk/idp/Authn/RemoteUser [HTTP/1.1 302 Moved Temporarily 40ms] [00:18:31.568] GET https://shib2idp.ntu.ac.uk/cas/login?service=https%3A%2F%2Fshib2idp.ntu.ac.uk%2Fidp%2FAuthn%2FRemoteUser [HTTP/1.1 200 OK 86ms] -- [00:18:41.827] POST https://shib2idp.ntu.ac.uk/cas/login;jsessionid=5A9949E5AF9873FC8149B72380E8F6E3?service=https%3A%2F%2Fshib2idp.ntu.ac.uk%2Fidp%2FAuthn%2FRemoteUser [HTTP/1.1 302 Moved Temporarily 699ms] [00:18:42.535] GET https://shib2idp.ntu.ac.uk/idp/Authn/RemoteUser?ticket=ST-69662-tyZKTkeW3zx12EtwHQo3-cas [HTTP/1.1 302 Moved Temporarily 196ms] [00:18:42.740] GET https://shib2idp.ntu.ac.uk/idp/profile/SAML2/Redirect/SSO [HTTP/1.1 200 OK 496ms] [00:18:43.433] POST https://www.trentstudents.org/Shibboleth.sso/SAML2/POST [HTTP/1.1 302 Found 286ms] [00:18:43.726] GET https://www.trentstudents.org/ [HTTP/1.1 302 153ms] [00:18:43.892] GET http://www.trentstudents.org/ [HTTP/1.0 200 OK 631ms] [00:18:44.680] GET http://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/stylesheets/style.css [HTTP/1.0 304 Not Modified 3ms] [00:18:45.644] GET http://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/stylesheets/fonts/gotham-medium-webfont.woff [HTTP/1.0 200 OK 7ms] [00:18:45.645] GET http://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/stylesheets/fonts/gotham-book-webfont.woff [HTTP/1.0 200 OK 12ms] [00:18:45.646] GET http://nus-production-assets.s3-eu-west-1.amazonaws.com/themes/ntsu_default/stylesheets/fonts/gotham-bold-webfont.woff [HTTP/1.0 200 OK 12ms] [00:18:46.270] GET http://www.trentstudents.org/pages/enable_cms_to_edit?on_off_button=&_=1378855126007 [HTTP/1.0 200 OK 156ms]
Hi TJ, Can you turn the network pane off and just show messages from the security pane? In the security.mixed_content.block_active_content == true case, Firefox 23 should show you all the resources that were blocked by Mixed Content Blocker in the security pane of the webconsole. The network pane alone just tells us what is loaded, so I'm unclear on what is being blocked. Thanks!
[00:52:37.018] GET http://www.trentstudents.org/users/auth/shibboleth/callback [HTTP/1.0 302 Moved Temporarily 257ms]
(In reply to TJ from comment #18) > [00:52:37.018] GET > http://www.trentstudents.org/users/auth/shibboleth/callback [HTTP/1.0 302 > Moved Temporarily 257ms] Hmm; this is still a message from the network pane. Here is an example of a message from the security pane: * Open the webconsole and click just the security pane (un-selecting the Net, CSS, JS, and Logging panes) * Go to https://people.mozilla.org/~tvyas/mixedcontent.html * You see the following in the webconsole: [17:11:45.908] Blocked loading mixed active content "http://people.mozilla.com/~tvyas/script.js" @ https://people.mozilla.org/~tvyas/mixedcontent.html Notice it says "Blocked loading ...". In the url bar, you will also see the shield icon indicating that content has been blocked. On any given page, if you see one and not the other (a message saying that content is "Blocked loading" but no shield icon or vice versa), then that is definitely a bug.
No, the message is from the Security pane. It was the only one selected. I'm unable to reproduce the issue any longer though because the site operators have fixed the issue after we reported it to them.
Hi TJ, Sorry for all the back in forth! I just realized that we had a bug/feature in Firefox 23 where Mixed Content loads in the Net panel also showed up in the security panel. So it does make perfect sense that this is the message you get in the security pane. Anyway, I'm glad that the site operators fixed the issue. Thanks for reporting it to them!
Blocks: 844556
No longer blocks: MixedContentBlocker
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
(In reply to Tanvi Vyas [:tanvi] from comment #21) > Anyway, I'm glad that the site operators fixed the issue. Thanks for > reporting it to them! Should probably be a Tech Evangelism bug in that case, but I'll just WFM me instead.
Resolution: FIXED → WORKSFORME
(In reply to Tanvi Vyas [:tanvi] from comment #13) > Mihai, can you verify that when you go to > https://people.mozilla.com/~tvyas/mixedcontent.html on FF23 using Windows 7 > that you see the shield icon? I confirm the shield is displayed.
Tanvy from now please needinfo? me for all the security bugs that you want me to verify. I daily receive hundreds of mails for Security and Addons Manager components and I am not able to see all the requests. Thanks!
Oh.. haven't seen you requested a verification on FF 23.. my bad. I verified on Latest Nightly 26 which works as expected but.. using FF 23 release, the shield is displayed only if I navigate to the "Navigate to same domain page" link that is displayed on https://people.mozilla.com/~tvyas/mixedcontent.html .Is this expected?
Hmm; this is very odd. When I visit https://people.mozilla.com/~tvyas/mixedcontent.html using Firefox 23 on Mac OSX, I get the following screenshot. Notice that it includes the grey shield icon next to the lock icon. The webconsole also shows that the mixed script was blocked. Mihai, can you provide a screenshot of what you see when you visit https://people.mozilla.com/~tvyas/mixedcontent.html using Firefox 23 on Windows 7 with the webconsole open?
Flags: needinfo?(mihai.morar)
Something looks weird. I am not able to reproduce the missing shield anymore. Yesterday I was reproducing in 100% of cases using same build. Probably I had some preferences modified but I think what matters is that now is working as expected.
Flags: needinfo?(mihai.morar)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: