Open Bug 991313 Opened 11 years ago Updated 8 months ago

tell the user why they can't add a certificate exception in a framed page

Categories

(Firefox :: Security, enhancement)

Product:
Firefox
Component:
Security
Version:
28 Branch
Type:
enhancement

Tracking

()

Status:
REOPENED

People

(Reporter: matteosistisette, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Screenshot from 2014-04-02 23:30:09.png
48.12 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 20140317233501 Steps to reproduce: visit https://sede.seg-social.gob.es/Sede_1/Lanzadera/index.htm?URL=60 Actual results: The attached warning is displayed. It warns me that the connection is untrusted. I don't care because I trust the site, and I want to proceed anyway. No "I understand the risks" button is shown, only a "take me away from here" button. So I cannot visit the page. Expected results: After the "take me away from here" button there should be a "I understand the risks" button. I have seen that thousands of times, so this is a regression. A huge regression that makes Firefox unusable.
Severity: normal → critical
Reproducible on: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Considering the details in the Technical Details section, this might be expected tough. Perhaps someone in Security can help more here.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
Expected? There's no conceivable case where one should not be allowed to choose to accept the risks and continue. You may want to place an extra or stronger warning about the dangers, or perhaps ask for a password or something, but you can't disallow visiting a page completely, no matter how insecure!!! Btw how are the tecnical details different from other cases where the option to continue does exist?
(In reply to matteo sisti sette from comment #2) > Btw how are the tecnical details different from other cases where the option > to continue does exist? Yes, for example: https://reddit.com/. I might be wrong about your cause though, I'm not sure about it, which is why I'm waiting for someone from Security to comment here and not just closing it as invalid.
Ok I can see the difference: one uses an invalid certificate, the other a certificate that is only valid for other domain names. Still the "I understand the risks" option should exist, always, no matter what, it's as easy as that.
The untrusted certificate dialog does not allow overrides to be added if it is in an iframe due to click-jacking concerns. What you can do to add the override is right-click in the iframe, click "This Frame", and then "Show Only This Frame". This should make the untrusted connection show up in a top-level window context, where you can add an exception. On a related note, it looks like the root for this site will be added in bug 435736, whereupon overrides will be unnecessary. I'm resolving this "INVALID" which is an unfortunately harsh way of saying this is the intended behavior.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
OMG I didn't even know that was in a frame (btw not an iframe). Some notice should be shown to let the user know how to access the content if he/she understand the risks. You can't expect the user to figure out or google about that.
Blocks: 1029832
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Summary: Missing "I understand the risks" option on untrusted connection alert → tell the user why they can't add a certificate exception in a framed page
Blocks: 1092369
Severity: critical → normal
Has STR: --- → yes
OS: Linux → All
Hardware: x86_64 → All
Severity: normal → S3
Type: defect → enhancement
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: