This is something that mixed-content blocking should prevent, right? Otherwise, there's no limitation on HTTPS redirecting to HTTP, it's just a bad security practice in general. I don't see any reason for this to remain a private bug.
Yes. Imho, this is something mixed content should block. If you change the <script> src to load with HTTP on a HTTPS page, it is properly blocked. But if the <script> src loads with HTTPS, and is 302 redirected to a HTTP resource, on the same HTTPS page, it is not blocked. I also tested on Nightly 26.0.a1 (2013-09-10) and the issue still exists. I updated the platform and version number above. I set "private" because it could be an exploit, and I wasn't sure which to select, so I defaulted to being paranoid. If requested, I can set it as public (I think I can -- first time reporting a FF bug). Please let me know anything else you require.
OS: Linux → Windows 7
Version: 23 Branch → 26 Branch
Our content policies (all of them) don't handle redirects properly. Here are 3 bugs that talk about this: https://bugzilla.mozilla.org/show_bug.cgi?id=418354 (nsIContentPolicy cannot examine redirects) https://bugzilla.mozilla.org/show_bug.cgi?id=456957 (specific to mixed content blocker) https://bugzilla.mozilla.org/show_bug.cgi?id=878890 (extensions that don't work as intended because MCB doesn't handle redirects) I agree with Ben, we can open this bug up. It is a known issue and the other bugs we have open for it are public.
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.