Closed Bug 257308 Opened 20 years ago Closed 20 years ago

Visual indicators of site security appear for the wrong site (lock icon)

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta1

People

(Reporter: bugzilla, Assigned: darin.moz)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: fixed-aviary1.0, fixed1.4.4, fixed1.7.5, Whiteboard: [sg:fix])

Attachments

(6 files, 3 obsolete files)

sample binary attachment
(deleted), application/octet-stream
Details
sample test case (view on non-secure server)
(deleted), text/html
Details
v1.1 patch - with similar nsDocShell changes
(deleted), patch
mkaply
: approval-aviary+
mkaply
: approval1.7.5+
Details | Diff | Splinter Review
30kb mp3
(deleted), text/plain
Details
v2.1 patch - revised per bz's comments
(deleted), patch
Biesinger
: review+
asa
: approval-aviary+
dveditz
: approval1.7.5+
Details | Diff | Splinter Review
Backport for 1.4 take 2
(deleted), patch
darin.moz
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040819 Firefox/0.8 StumbleUpon/1.9 (MOOX M2)
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.2) Gecko/20040819 Firefox/0.8 (MOOX M2)

If I'm on an http site, then I click a link on that site to a totally unrelated
https server which provides a downloadable file - not a file that can be viewed
in Firefox, and not where the link target is a new window - then the address bar
for the currently viewed HTTP site goes yellow, and the security box on the
status bar shows the http site with a padlock. In other words, the HTTP site is
reported as taking on the security characteristics of the HTTPS server that is
supplying the file rather than the currently-viewed page.

Further discussion here: http://forums.mozillazine.org/viewtopic.php?t=117908

Reproducible: Always
Steps to Reproduce:
1.Find or create a link on a HTML page hosted on a HTTP server that points to a
downloadable file on an unrelated HTTPS server.
2.Click that link.
3.Accept the file or cancel (the visual indications change before you make the
choice anyway.)

Actual Results:  
Address bar background changes yellow.
Status bar security field displays the HTTP server name with a padlock, and
changes the tool-tip to mention the HTTPS's certificate issuing authority.

Expected Results:  
Made none of the above changes in the UI.

Perhaps the relevant section of the download manager window should go yellow
instead, but I'm sure that's a separate issue...

The linked-to discussion leads me to believe that the yellow-bar feature may
only be visible in more recent builds.
Confirming. Using the link in that thread to download a file from a secure
server gives me the padlock on the page I'm currently on.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040803 Firefox/0.9.3

This appears to be quite old. I've been able to duplicate this with Firefox
branch, 0.9.3, 0.9.1, 0.8 and Mozilla 1.7.2. It's possible this is a dupe of
another bug with the security flag.

Marking NEW, requesting blocking.

Thanks for filing man. :)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking-aviary1.0PR?
Flags: blocking-aviary1.0?
HW/OS -> All, Severity -> critical

Well, it's pretty serious anyway heh..
Severity: normal → critical
OS: Windows 98 → All
Hardware: PC → All
If we've been shipping with this behaviour for a while, I doubt we'll block on this.
darin will take a look to see what we can do here.
Assignee: firefox → darin
if this can make PR it would be good.
Flags: blocking-aviary1.0PR?
Flags: blocking-aviary1.0PR+
Flags: blocking-aviary1.0?
Flags: blocking-aviary1.0+
This is a dup.
Whiteboard: DUPEME
happens in mozilla 2004090105/winxp too, -> browser
Component: General → Networking
Product: Firefox → Browser
QA Contact: firefox.general → benc
Version: unspecified → Trunk
Target Milestone: --- → mozilla1.8beta
On the surface this is sort of the opposite of bug 258048
Blocks: lockicon
*** Bug 238566 has been marked as a duplicate of this bug. ***
Are you sure this is a dupe? We've fixed similar bugs, but I can't find one
currently like this.

bug 240053 was fixed in Moz1.7 / ff0.9 (redirects)
bug 253121 was fixed in Moz1.7.2 / ff0.9.3 (onunload document.write)

bug 258048 describes an opposite situation, security indicators for the current
site stick around too long.
Attached file sample binary attachment (deleted) β€” 

  

  



    
    

    
  


  
Load this attachment over plaintext HTTP.  Then, click the link named "click
me".  Notice that you get a download dialog and the lock icon is present on the
browser window, but the original page contents are still showing.

  

  



    
    

    
  
I can reproduce this bug using Mozilla 1.0 and 1.4, so this has been around for
a long time.  I also don't see any evidence in the code that there was ever a
design intended to handle this case :-(

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 patch (obsolete) (deleted)
        β€” 
          β€” Splinter Review
      

    


  
OK, this seems like a safe patch.  The solution is to basically make retargeted
loads behave more like redirected loads as far as the webprogresslistener
notifications are concerned.

With this patch, we pass NS_BINDING_RETARGETED as the status code when calling
RemoveRequest from inside nsExternalAppHandler::RetargetLoadNotifications.  It
makes sense to pass an error code here because the load is actually not
successful with respect to loading inside the load group.  It is really pretty
wrong to say that the request has completed normally, which is what the current
code does.

The other change this patch makes is to cause the DocLoader to not synthesize a
STATE_TRANSFERRING event when the loadgroup calls its OnStopRequest method
(triggered from RemoveRequest).  This is what we currently do for redirected
requests, and it makes sense to do the same for retargeted requests.

One more thing to note: NS_BINDING_RETARGETED is not used anywhere else.  I
recall back in the day that it was used.  Used by code in uriloader land if I'm
not mistaken.  The fact that it is not used is good from the point of view of
this patch, since it means that we aren't co-opting an existing meaning for
this error code.

  

  



    
  

        Attachment #158258 -
        Flags: superreview?(bzbarsky)

        Attachment #158258 -
        Flags: review?(cbiesinger)

        Attachment #158258 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
Comment on attachment 158258 [details] [diff] [review]
v1 patch

sr=bzbarsky if you also fix the similar code at
http://lxr.mozilla.org/seamonkey/source/docshell/base/nsDocShell.cpp#4546
(which is retargeting from one docshell to another, but the effect is the
same).

  

  



        Attachment #158258 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  


  
thanks bz!

  

  



        Attachment #158258 -
        Attachment is obsolete: true

    
    

    
  
fixed-on-trunk

  

  


Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED

    
  

        Attachment #158283 -
        Flags: approval1.7.x?

        Attachment #158283 -
        Flags: approval-aviary?

    
    

    
  
Needed on 1.7 also

  

  


Flags: blocking1.7.x+
Whiteboard: DUPEME → [sg:fix]

    
    

    
  
Comment on attachment 158283 [details] [diff] [review]
v1.1 patch - with similar nsDocShell changes

a=mkaply for both

  

  



        Attachment #158283 -
        Flags: approval1.7.x?

        Attachment #158283 -
        Flags: approval1.7.x+

        Attachment #158283 -
        Flags: approval-aviary?

        Attachment #158283 -
        Flags: approval-aviary+

    
    

    
  
Needed on Aviary also.

  

  



    
    

    
  
fixed1.7.x, fixed-aviary1.0

  

  


Keywords: fixed-aviary1.0, 
          
            fixed1.7.x

    
    

    
  
This isn't totally fixed, assuming it's supposed to be on my build (Firefox
branch, 20040912). I can't give out the test URL I see this on for copyright and
practicality reasons, but clicking a link hosted on http://www.livejournal.com
leading to an mp3 file hosted at https://home.comcast.net still makes
livejournal's location bar go yellow and padlocked, and the status bar shows
livejournal.com as being a secure site.

It seems possibly dependent on mime type as the behaviour seems fixed for zip
files on the secure server but still broken for mp3s.

  

  



    
    

    
  

      
      
      
      

        Attached file
          
        30kb mp3 (deleted)
        β€” 
      

    


  

  

  



    
    

    
  
Hrm, ok I'm not sure that worked right heh.. I was trying to make a testcase
with test.mp3, but the file is displaying in the browser.

Thought maybe if the content-type was being sent as text/plain, Firefox would
start out wanting to view the file, but once it sees binary data it'd change to
download instead.

I setup a test at work and didn't have any problems with content-type bits.

http://www.gozer.org/test/mozilla/257308/

  

  



    
    

    
  
Ok, that one worked fine for me too. Maybe it's something Comcast-specific.

  

  



    
  

        Attachment #158694 -
        Attachment mime type: text/plain → application/octet-stream

    
    

    
  
The testcase should work now.  A mimetype of application/octet-stream should
force Firefox to always ask to download.

  

  



    
    

    
  
Hmm... I just downloaded the latest aviary branch build from ftp.mozilla.org
(Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20040910 Firefox/0.10), and I
couldn't reproduce the bug using the testcases at
http://www.gozer.org/test/mozilla/257308/.

  

  



    
    

    
  
(In reply to comment #26)
> Ok, that one worked fine for me too. Maybe it's something Comcast-specific.

Since you can't put up the urls, could you get the headers for the file that's
causing this?

  

  



    
    

    
  
I don't know how to get the headers for an mp3 download. Page Info and the Web
Developer extension's 'view response headers' function don't work because the
page stays blank while it downloads in the download manager. Any suggestions?

  

  



    
    

    
  
There's lotsa ways to do this..

wget -sqO- http://www.example.com/some.mp3

-(~) telnet www.example.com 80
Trying 127.0.0.1...
Connected to www.example.com.
Escape character is '^]'.
HEAD /some.mp3 HTTP/1.0
Host: www.example.com

HTTP/1.1 200 OK
...

telnet won't work on an ssl-enabled server, so...

openssl s_client -connect www.example.com:443
<send http request>

Or, you could even make a small libcurl or perl client. :P

  

  



    
    

    
  
Interesting... :

HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Tue, 14 Sep 2004 01:29:16 GMT
Content-type: text/plain
Last-modified: Mon, 13 Sep 2004 20:15:51 GMT
Content-length: 2740429
Accept-ranges: bytes
Connection: close

It's sending text/plain, yet it's definitely an mp3 file, and Firefox correctly
identifies it as such (giving me the save/open dialog) when I download it.

  

  



    
    

    
  
Ok! I have a new testcase for you to try:
http://homepage.ntlworld.com/ben.sizer/testmoz/mp3test.html
Click the mp3 link there, which leads to an mp3 file hosted on a Comcast server,
accessed with https. The actual/expected results are as I originally reported at
the start of this bug. I have just tested with a 20040916 branch build of
Firefox. Can anyone confirm this?

  

  



    
    

    
  
Man, I feel like a dumbass - Content-Type: test/plain

I've fixed my testcase and am able to see it now, must be due to the text/plain
[oh it's binary] stuff (bug 220807).

Reopened

  

  


Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
  

        Attachment #158694 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
Ok, I can't get my bugzilla test.mp3 attachment to work right, I think it's
content-disposition: inline header, so we'll just have to rely on the external
testcases.

  

  



    
    

    
  
> http://homepage.ntlworld.com/ben.sizer/testmoz/mp3test.html
> Can anyone confirm this?

Yes, I can reproduce the problem too using the 9/14 aviary branch build w/ your
testcase.  Investigating...

  

  


Status: REOPENED → ASSIGNED

    
    

    
  
It looks like we are getting an OnProgress event prior to OnStartRequest when
loading http://homepage.ntlworld.com/ben.sizer/testmoz/mp3test.html.  I think
that would explain the lock icon bug because the nsSecureBrowserUI uses the
OnProgress event to determine that secure content is being shown to the user. 
Hmm...

It looks like nsHttpChannel does not ensure that OnProgress occur only after
OnStartRequest.  There's a side issue since we use OnProgress to report upload
progress as well as download progress.  Clearly, nsSecureBrowserUI should only
apply its OnProgress logic to downloads, so we should verify that.

  

  



    
    

    
  
ok, after further analysis i understand the problem.  the channel cannot solve
this problem.  it is in fact delaying OnProgress until after OnStartRequest, but
that is not enough.  in this case, the content-type from the server is
text/plain.    in this case we invoke a content sniffer to determine if the
content is really text because it is often the case that servers such as this
one are misconfigured.  the content sniffer requires data to be read from the
channel, which triggers the OnProgress notification.

to solve this problem i think we need to suppress sending
OnStateChange(STATE_TRANSFERRING) until after a load has been targetted.  this
only applies to toplevel loads with the LOAD_DOCUMENT_URI load flag.  one way to
do that would be to invent a new load flag that gets set by the
nsDocumentOpenInfo once it has targetted a load.  nsDocLoader::OnProgress would
then check for that load flag and suppress the OnStateChange call if the load
flag is not set (for the case in which LOAD_DOCUMENT_URI is set).

i discussed this plan with biesi over IRC and he agrees.  this seems like a more
robust fix that should help minimize the chance of this bug ever coming up again.

patch coming up...

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2 patch (obsolete) (deleted)
        β€” 
          β€” Splinter Review
      

    


  
Here's a patch for the solution I mentioned.  I still need to document the load
flags used by the URILoader, DocLoader, and DocShell better.  That
documentation probably doesn't belong in nsIChannel.idl ;-)

  

  



    
  

        Attachment #159229 -
        Flags: superreview?(bzbarsky)

        Attachment #159229 -
        Flags: review?(cbiesinger)

    
    

    
  
Comment on attachment 159229 [details] [diff] [review]
v2 patch

>Index: uriloader/base/nsDocLoader.cpp
>-  nsLoadFlags loadFlags = 0;
>+  PRUint32 loadFlags = 0;

Why?  The loadFlags attribute of nsIRequest is of type "nsLoadFlags"...

>+    newLoadFlags = nsIChannel::LOAD_RETARGETED_DOCUMENT_URI;

This should be an |=, no?

sr=bzbarsky with those fixed (and perhaps the other GetLoadFlags callers also
using nsLoadFlags?)

  

  



        Attachment #159229 -
        Flags: superreview?(bzbarsky) → superreview+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v2.1 patch - revised per bz's comments (deleted)
        β€” 
          β€” Splinter Review
      

    


  
nsLoadFlags vs. PRUint32 ... no good reason really.  much of necko uses
PRUint32 (despite nsIRequest.idl), and so I went with that here too.  But, I
don't care much either way, so I changed all of uriloader/base over to
nsLoadFlags.

Thanks for catching the |= mistake.  That's corrected in this patch too.

  

  



    
  

        Attachment #159229 -
        Attachment is obsolete: true

    
  

        Attachment #159229 -
        Flags: review?(cbiesinger)

    
  

        Attachment #159235 -
        Flags: review?(cbiesinger)

    
    

    
  
Comment on attachment 159235 [details] [diff] [review]
v2.1 patch - revised per bz's comments

looks good

  

  



        Attachment #159235 -
        Flags: review?(cbiesinger) → review+

    
    

    
  
fixed-on-trunk

  

  


Status: ASSIGNED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED

    
  

        Attachment #159235 -
        Flags: approval1.7.x?

        Attachment #159235 -
        Flags: approval-aviary?

    
    

    
  
Comment on attachment 159235 [details] [diff] [review]
v2.1 patch - revised per bz's comments

a=dveditz for 1.7x contingent on aviary approval. Would like some trunk baking
first.

  

  



        Attachment #159235 -
        Flags: approval1.7.x? → approval1.7.x+

    
    

    
  
Comment on attachment 159235 [details] [diff] [review]
v2.1 patch - revised per bz's comments

a=asa for aviary checkin.

  

  



        Attachment #159235 -
        Flags: approval-aviary? → approval-aviary+

    
    

    
  
fixed-aviary1.0 and fixed1.7.x for v2.1 patch

  

  


Summary: Visual indicators of site security appear for the wrong site → Visual indicators of site security appear for the wrong site (lock icon)

        Attachment #158251 -
        Attachment description: sample test case → sample test case (view on non-secure server)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Complete patch, backported to 1.4 (obsolete) (deleted)
        β€” 
          β€” Splinter Review
      

    


  

  

  



    
    

    
  
Comment on attachment 172289 [details] [diff] [review]
Complete patch, backported to 1.4

>Index: uriloader/base/nsURILoader.cpp

>     }
> 
>+    aChannel->SetLoadFlags(loadFlags | newLoadFlags);
>+
>+
>     const char* contentTypeToUse;

nit: no need for extra newline


>     if (helperAppService)
>     {
>+      // Set these flags to indicate that the channel has been targeted and that
>+      // we are not using the original consumer.
>+      nsLoadFlags loadFlags = 0;
>+      request->GetLoadFlags(&loadFlags);
>+      request->SetLoadFlags(loadFlags | nsIChannel::LOAD_RETARGETED_DOCUMENT_URI
>+                                    | nsIChannel::LOAD_TARGETED);
>+
>       rv = helperAppService->DoContent(contentType.get(),
>                                        request,
>                                        m_originalContext,
>                                        getter_AddRefs(contentStreamListener));
>       if (NS_SUCCEEDED(rv) && contentStreamListener) {
>         m_targetStreamListener = contentStreamListener;
>+        request->SetLoadFlags(loadFlags);
>         return NS_OK;
>       }

I think it is wrong to call SetLoadFlags in the success case here.
The trunk does so in the failure case.

  

  



        Attachment #172289 -
        Flags: review?(darin) → review-

    
    

    
  
also, the last patch didn't include the definition of nsIChannel::LOAD_TARGETED.

  

  



    
    

    
  

      
      
      
      

        Attached patch
          
          
        Backport for 1.4 take 2 (deleted)
        β€” 
          β€” Splinter Review
      

    


  
addressing darin's comments.  I also think we need to null out
m_targetStreamListener (if DoContent() fails) looking at the current trunk.  It
seems like the correct thing to do here, what do you think darin?

  

  



        Attachment #172289 -
        Attachment is obsolete: true

        Attachment #174321 -
        Flags: review?(darin)

    
    

    
  
Comment on attachment 174321 [details] [diff] [review]
Backport for 1.4 take 2

sure, this looks fine to me.  r=darin

  

  



        Attachment #174321 -
        Flags: review?(darin) → review+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: