Open
Bug 815321
(MixedContentBlocker)
Opened 12 years ago
Updated 2 months ago
[meta] Master Bug for Mixed Content Blocker
Categories
(Core :: Security, task, P3)
Core
Security
Tracking
()
NEW
Tracking | Status | |
---|---|---|
relnote-firefox | --- | 23+ |
People
(Reporter: tanvi, Unassigned)
References
(Depends on 58 open bugs, Blocks 2 open bugs)
Details
(Keywords: meta)
This bug serves as a master bug for all things about the Mixed Content Blocker in Firefox. Implementation, followup bugs, telemetry, new feature requests, etc. When filing bugs for mixed content, please indicate that it blocks this bug. Note that no actual code should be landed as part of this master bug.
Reporter | ||
Updated•12 years ago
|
Alias: MixedContentBlocker
Reporter | ||
Comment 1•11 years ago
|
||
Some status updates: Bug 837075 crash - awaiting try results and then can push to inbound Bug 836630 test failure - in inbound Bug 836951 crash - awaiting try results and then can push to inbound Bug 838403 - needs test. in try Bug 836811 crash - patched, but needs a test before we can close. These are the bugs I am tackling now: * Potential caching issue - https://bugzilla.mozilla.org/show_bug.cgi?id=837959 * Telemetry - https://bugzilla.mozilla.org/show_bug.cgi?id=781018 * Turn pref on by default - https://bugzilla.mozilla.org/show_bug.cgi?id=834836 * Add blocked info to Webconsole and error console - https://bugzilla.mozilla.org/show_bug.cgi?id=836431 and https://bugzilla.mozilla.org/show_bug.cgi?id=837351
Reporter | ||
Comment 2•11 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #1) > These are the bugs I am tackling now: > * Potential caching issue - > https://bugzilla.mozilla.org/show_bug.cgi?id=837959 > * Telemetry - https://bugzilla.mozilla.org/show_bug.cgi?id=781018 > * Turn pref on by default - > https://bugzilla.mozilla.org/show_bug.cgi?id=834836 > * Add blocked info to Webconsole and error console - > https://bugzilla.mozilla.org/show_bug.cgi?id=836431 and > https://bugzilla.mozilla.org/show_bug.cgi?id=837351 And: * Site Identity Message Updates - https://bugzilla.mozilla.org/show_bug.cgi?id=838402
Updated•11 years ago
|
Depends on: mozorg-mixedcontent
Updated•11 years ago
|
relnote-firefox:
--- → 23+
Updated•11 years ago
|
QA Contact: virgil.dicu
Comment 3•11 years ago
|
||
This has been noted in the Aurora 23 release notes: http://www.mozilla.org/en-US/firefox/23.0a2/auroranotes/ If you would like to make any changes or have questions/concerns please contact me directly.
Updated•11 years ago
|
QA Contact: virgil.dicu → mihai.morar
Comment 4•11 years ago
|
||
Is there some standard where trusted content can use active content over HTTP by providing some cryptographically acceptable hash together with the URI? e.g. <html> <!-- secure from https://trusted.com --> <head> <script type="text/javascript" src="http://untrusted3rdparty.com/libs/jquery1.3.min.js" digest="SHA1:12345678901234ABCDEF"> </script> </head> <body> blah blah </body> </html> Wouldn't this cover the security need while still avoiding the server overhead of serving over HTTPS? Disclaimer: I'm not a security expert.
Comment 5•11 years ago
|
||
There is no such standard. You may however propose one in the WHATWG mailing list [1], or at the W3C. [1] http://www.whatwg.org/mailing-list
Reporter | ||
Comment 6•11 years ago
|
||
(In reply to Avi Halachmi (:avih) from comment #4) > Is there some standard where trusted content can use active content over > HTTP by providing some cryptographically acceptable hash together with the > URI? > > e.g. > > <html> > <!-- secure from https://trusted.com --> > <head> > <script type="text/javascript" > src="http://untrusted3rdparty.com/libs/jquery1.3.min.js" > digest="SHA1:12345678901234ABCDEF"> > </script> > </head> > <body> blah blah </body> > </html> > > Wouldn't this cover the security need while still avoiding the server > overhead of serving over HTTPS? > > Disclaimer: I'm not a security expert. Thanks Avi for your comments! This would indeed help alleviate the issues with mixed content. The digest would be served over HTTPS and the browser woudl only accept the HTTP content if it matched the digest. Assuming we use a secure collision resistant hashing algorithm, we could allow mixed content loads that include this kind of integrity check. This idea has been proposed in the past. Most recently, it was discussed in the W3C Webappsec Working Group. I can't recall if it has made it into the official charter or not, but here is a short description of it in a draft charter: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/att-0094/Web_Application_Security_Working_Group.htm (Look under Sub-Resource Integrity). Also, looks like Gerv posted about this idea years ago: http://www.gerv.net/security/link-fingerprints/
Comment 7•11 years ago
|
||
I think this one also depends on: Bug 841352 - Using InstallTrigger bypasses nsIContentPolicy
Comment 8•11 years ago
|
||
I'm raising a general concern which I'm unable to evaluate its meaningfulness and which this bug is is just an example of: Considering that this bug has been on beta for few weeks and on aurora before that, wouldn't we expect less bugs to be discovered once it hits release? My gut feeling is that at least some of the newer bugs should have been caught before it hit release. Am I expecting too much of the beta release? Am I over-evaluating the importance of the bugs here which were discovered late? Also, I can see that bugs were discovered during beta as well, so maybe the fact that bugs kept popping up while this feature was on aurora and beta should have raised some flags that this is maybe not ready for prime time yet? If some of these concerns are valid, how can we prevent it from happening again? Is it worth a spin off to another bug?
Reporter | ||
Updated•9 years ago
|
Depends on: CVE-2015-4483
Comment 10•8 years ago
|
||
(In reply to Avi Halachmi (:avih) from comment #8) > I'm raising a general concern which I'm unable to evaluate its > meaningfulness and which this bug is is just an example of: > > Considering that this bug has been on beta for few weeks and on aurora > before that, wouldn't we expect less bugs to be discovered once it hits > release? My gut feeling is that at least some of the newer bugs should have > been caught before it hit release. > > Am I expecting too much of the beta release? Am I over-evaluating the > importance of the bugs here which were discovered late? Also, I can see that > bugs were discovered during beta as well, so maybe the fact that bugs kept > popping up while this feature was on aurora and beta should have raised some > flags that this is maybe not ready for prime time yet? > > If some of these concerns are valid, how can we prevent it from happening > again? Is it worth a spin off to another bug? Avi, this bug is a meta-bug. As such, it doesn't evolve from trunk to aurora to beta to release. It is just a central place which will show you all mixed-content bugs already found, and which ones have been fixed (on Trunk). Some of them have a security flag set, and of these, "ordinary" non-security-cleared people like me can only know that they exist, not what they are about. Due to the nature of this particular meta-bug, I expect new blockers to be added to it every time, and that would mean that only the blockers will one by one get FIXED but not the meta-bug itself. Indeed, IMHO it falls within the scope of the saying: "The only kind of bug-free software is obsolete software." This doesn't mean that solving mixed-content-blocker bugs is useless but only that perfection can only be attained asymptotically.
Reporter | ||
Updated•8 years ago
|
Updated•8 years ago
|
Updated•8 years ago
|
Comment 11•6 years ago
|
||
Could you add?: "Mixed content exception (left of address bar) not available in certain cases" https://bugzilla.mozilla.org/show_bug.cgi?id=1461445
Updated•5 years ago
|
Summary: Master Bug for Mixed Content Blocker → [meta] Master Bug for Mixed Content Blocker
Updated•5 years ago
|
Updated•5 years ago
|
Depends on: CVE-2021-38491
Updated•4 years ago
|
Priority: -- → P3
Product: Firefox → Core
Updated•4 years ago
|
Type: defect → task
Updated•3 years ago
|
Updated•2 years ago
|
Severity: normal → S3
Comment hidden (spam) |
You need to log in
before you can comment on or make changes to this bug.
Description
•