815321 - (MixedContentBlocker) [meta] Master Bug for Mixed Content Blocker

Status: NEW

(Core :: Security, task, P3)

Description

[Tanvi Vyas[:tanvi]]

This bug serves as a master bug for all things about the Mixed Content Blocker in Firefox.  Implementation, followup bugs, telemetry, new feature requests, etc.  When filing bugs for mixed content, please indicate that it blocks this bug.

Note that no actual code should be landed as part of this master bug.

Comment 1

[Tanvi Vyas[:tanvi]]

Some status updates:
Bug 837075 crash - awaiting try results and then can push to inbound
Bug 836630 test failure - in inbound
Bug 836951 crash - awaiting try results and then can push to inbound
Bug 838403 - needs test.  in try
Bug 836811 crash - patched, but needs a test before we can close.

These are the bugs I am tackling now:
* Potential caching issue - https://bugzilla.mozilla.org/show_bug.cgi?id=837959
* Telemetry - https://bugzilla.mozilla.org/show_bug.cgi?id=781018
* Turn pref on by default - https://bugzilla.mozilla.org/show_bug.cgi?id=834836
* Add blocked info to Webconsole and error console - https://bugzilla.mozilla.org/show_bug.cgi?id=836431 and https://bugzilla.mozilla.org/show_bug.cgi?id=837351

Comment 2

[Tanvi Vyas[:tanvi]]

(In reply to Tanvi Vyas [:tanvi] from comment #1)
> These are the bugs I am tackling now:
> * Potential caching issue -
> https://bugzilla.mozilla.org/show_bug.cgi?id=837959
> * Telemetry - https://bugzilla.mozilla.org/show_bug.cgi?id=781018
> * Turn pref on by default -
> https://bugzilla.mozilla.org/show_bug.cgi?id=834836
> * Add blocked info to Webconsole and error console -
> https://bugzilla.mozilla.org/show_bug.cgi?id=836431 and
> https://bugzilla.mozilla.org/show_bug.cgi?id=837351

And:
* Site Identity Message Updates - https://bugzilla.mozilla.org/show_bug.cgi?id=838402

Comment 3

[Lukas Blakk [:lsblakk] use ?needinfo]

This has been noted in the Aurora 23 release notes:

http://www.mozilla.org/en-US/firefox/23.0a2/auroranotes/

If you would like to make any changes or have questions/concerns please contact me directly.

Comment 4

[Avi Halachmi (:avih)]

Is there some standard where trusted content can use active content over HTTP by providing some cryptographically acceptable hash together with the URI?

e.g.

<html>
<!-- secure from https://trusted.com -->
<head>
<script type="text/javascript" src="http://untrusted3rdparty.com/libs/jquery1.3.min.js" digest="SHA1:12345678901234ABCDEF">
</script>
</head>
<body> blah blah </body>
</html>

Wouldn't this cover the security need while still avoiding the server overhead of serving over HTTPS?

Disclaimer: I'm not a security expert.

Comment 5

[Florian Bender]

There is no such standard. You may however propose one in the WHATWG mailing list [1], or at the W3C. 

[1] http://www.whatwg.org/mailing-list

Comment 6

[Tanvi Vyas[:tanvi]]

(In reply to Avi Halachmi (:avih) from comment #4)
> Is there some standard where trusted content can use active content over
> HTTP by providing some cryptographically acceptable hash together with the
> URI?
> 
> e.g.
> 
> <html>
> <!-- secure from https://trusted.com -->
> <head>
> <script type="text/javascript"
> src="http://untrusted3rdparty.com/libs/jquery1.3.min.js"
> digest="SHA1:12345678901234ABCDEF">
> </script>
> </head>
> <body> blah blah </body>
> </html>
> 
> Wouldn't this cover the security need while still avoiding the server
> overhead of serving over HTTPS?
> 
> Disclaimer: I'm not a security expert.

Thanks Avi for your comments!  This would indeed help alleviate the issues with mixed content.  The digest would be served over HTTPS and the browser woudl only accept the HTTP content if it matched the digest.  Assuming we use a secure collision resistant hashing algorithm, we could allow mixed content loads that include this kind of integrity check.

This idea has been proposed in the past.  Most recently, it was discussed in the W3C Webappsec Working Group.  I can't recall if it has made it into the official charter or not, but here is a short description of it in a draft charter: http://lists.w3.org/Archives/Public/public-webappsec/2012Nov/att-0094/Web_Application_Security_Working_Group.htm (Look under Sub-Resource Integrity).

Also, looks like Gerv posted about this idea years ago: http://www.gerv.net/security/link-fingerprints/

Comment 7

[Stefan Baebler]

I think this one also depends on: 
Bug 841352 - Using InstallTrigger bypasses nsIContentPolicy

Comment 8

[Avi Halachmi (:avih)]

I'm raising a general concern which I'm unable to evaluate its meaningfulness and which this bug is is just an example of:

Considering that this bug has been on beta for few weeks and on aurora before that, wouldn't we expect less bugs to be discovered once it hits release? My gut feeling is that at least some of the newer bugs should have been caught before it hit release.

Am I expecting too much of the beta release? Am I over-evaluating the importance of the bugs here which were discovered late? Also, I can see that bugs were discovered during beta as well, so maybe the fact that bugs kept popping up while this feature was on aurora and beta should have raised some flags that this is maybe not ready for prime time yet?

If some of these concerns are valid, how can we prevent it from happening again? Is it worth a spin off to another bug?

Comment 9

[sjw]

seriously? CVE-2007-1970 is not fixed yet?

Comment 10

[Tony Mechelynck [:tonymec]]

(In reply to Avi Halachmi (:avih) from comment #8)
> I'm raising a general concern which I'm unable to evaluate its
> meaningfulness and which this bug is is just an example of:
> 
> Considering that this bug has been on beta for few weeks and on aurora
> before that, wouldn't we expect less bugs to be discovered once it hits
> release? My gut feeling is that at least some of the newer bugs should have
> been caught before it hit release.
> 
> Am I expecting too much of the beta release? Am I over-evaluating the
> importance of the bugs here which were discovered late? Also, I can see that
> bugs were discovered during beta as well, so maybe the fact that bugs kept
> popping up while this feature was on aurora and beta should have raised some
> flags that this is maybe not ready for prime time yet?
> 
> If some of these concerns are valid, how can we prevent it from happening
> again? Is it worth a spin off to another bug?

Avi, this bug is a meta-bug. As such, it doesn't evolve from trunk to aurora to beta to release. It is just a central place which will show you all mixed-content bugs already found, and which ones have been fixed (on Trunk). Some of them have a security flag set, and of these, "ordinary" non-security-cleared people like me can only know that they exist, not what they are about.

Due to the nature of this particular meta-bug, I expect new blockers to be added to it every time, and that would mean that only the blockers will one by one get FIXED but not the meta-bug itself. Indeed, IMHO it falls within the scope of the saying: "The only kind of bug-free software is obsolete software." This doesn't mean that solving mixed-content-blocker bugs is useless but only that perfection can only be attained asymptotically.

Comment 11

[cfz7y6+5hxeevm457ry5k38ghfidks447vw7a3ga]

Could you add?:
"Mixed content exception (left of address bar) not available in certain cases"
https://bugzilla.mozilla.org/show_bug.cgi?id=1461445

Comment 12

[Dennis Hawkins]

Attachment: faiprepourop19709278.txt

Thanks from rabeganso1981.