Closed Bug 908703 Opened 11 years ago Closed 7 months ago

Change the Network Pane Mixed Content message mechanism to use the logic in Mixed Content Blocker for determining if a message is Mixed Content

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: ialagenchev, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-backlog2]) 

We started logging Mixed Content messages in the security pane of the web console as part of bug 875456. Bug 737873 originally added the messages to the network pane, but used a less than perfect way for validating if a resource is mixed content. We want to now use the same logic that is employed by the MCB. An alternative and potentially better approach could be to use the notifications from nsSecurityConsoleService, which is planned to be introduced by bug 897240 since nsSecurityConsoleService notifications are triggered by MCB itself.
Component: Security → DOM: Security
Whiteboard: [domsecurity-backlog]
See Also: → 1201767
If you go to https://wired.com, it will redirect to http://wired.com.  The webconsole Net Panel, for some reason, still thinks the top level page is https://wired.com.  It doesn't consider the redirect and readjust the the top level page.  Hence, we end up with tons of mixed content warnings in the Net panel since http://wired.com loads lots of http:// content.

Brian, is the fact that the webconsole doesn't update the request.url after a redirect a known issue[1]?  Is it something that will get fixed, or should we just turn off Mixed Content warnings in the Net panel?  And stick to the ones in the Security panel, which are accurate (or at least designed to be accurate :).

Thanks!

[1] http://mxr.mozilla.org/mozilla-central/source/devtools/client/webconsole/webconsole.js#1600
Flags: needinfo?(bgrinstead)
When you say mixed content warnings in the new panel do you mean the 'broken lock' icon showing up on requests?  Because those show up even if the original page loaded is http://wired.com.  IIRC it was decided to show the insecury iconography for all http requests inside this thread: https://groups.google.com/d/msg/mozilla.dev.developer-tools/y3MqhAGLMjg/SyY93QPuBgAJ.

> 1. HTTPS OK - green lock
> 2. HTTPS weak - grey lock with yellow warning triangle
> 3. HTTPS failed - grey warning triangle
> 4. HTTP OK - struck-through lock
> 5. localhost - globe
Flags: needinfo?(bgrinstead)
Tanvi, can you answer Brians answer/question - I think it would be nice to get this bug resolved!
Flags: needinfo?(tanvi)
Priority: -- → P2
Priority: P2 → P3
Whiteboard: [domsecurity-backlog] → [domsecurity-backlog2]
Clearing my ni? queue at the moment. Since Kate is taking on the work for mixed content, I think this is something she might look into as well, hence I am making this bug block bug 1295777.
Blocks: 1295777
Flags: needinfo?(tanvi)
Severity: normal → S3
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.