Closed
Bug 445773
Opened 16 years ago
Closed 7 years ago
Dynamically loading Flash over http doesn't degrade lock icon state (e.g. when using FlashBlock)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
FIXED
People
(Reporter: philip.chee, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fixed by bug 329869])
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.2pre) Gecko/2008071105
Firefox/3.0
And:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1a1pre) Gecko/2008071203
Minefield/3.1a1pre
Original Flashblock bug: https://www.mozdev.org/bugs/show_bug.cgi?id=19577
Steps to reproduce:
1. Install Flashblock.
2. Visit https://chaseonline.chase.com/Logon.aspx
Expected results:
1. A pop up dialog warning you that the data on the page is partially encrypted.
2. Larry says that your connection to this website is not encrypted.
Actual results:
1. No pop up warning.
2. Larry says
[a] Verified: by VeriSign Trust Network.
[b] Your connection to this website is encrypted.
Given that flash object coming from a unsecure connection is called "cookiemanager" I think this is slightly worrying.
Comment 1•16 years ago
|
||
Is the flash object actually getting loaded?
Comment 2•16 years ago
|
||
(In reply to comment #1)
> Is the flash object actually getting loaded?
I don't think so. Flash objects blocked by Flashblock don't trigger any content policy calls so I am pretty certain that nothing is being loaded. On the site in question only that Flash object is being loaded over an unencrypted connection, seems to be WORKSFORME then.
Reporter | ||
Comment 3•16 years ago
|
||
(In reply to comment #1)
> Is the flash object actually getting loaded?
I forgot to add that when you click on the flashblock placeholder to activate the flash object (causing it to load from an unencrypted url), *Larry still doesn't sit up and notice*
Comment 4•16 years ago
|
||
So this isn't related to Flashblock at all. The issue is that Larry doesn't catch anything happening after the page loads. E.g. enter the following into the location bar at this page:
javascript:var i = new Image();i.src = "http://insecure.com/";void document.body.appendChild(i);
This will add an image loading from unencrypted HTTP to this page, yet it is still shown as encrypted - all indicators are unchanged.
Comment 5•16 years ago
|
||
Yeah. That sounds like a pretty serious issue to me.... I'm also having a hard time believing that it's not already on file.
Comment 6•16 years ago
|
||
Is your issue limited to images? It is known that Firefox and SeaMonkey have always been unable to detect insecure images in a secure context, see bug 135007.
Can you modify your test to not use an image, but something else, maybe html content, a script or a style sheet? That should all get detected.
Comment 7•16 years ago
|
||
No, exactly the same happens for scripts:
javascript:var s = document.createElement("script");s.src = "http://insecure.com/";void document.body.appendChild(s);
And in Flashblock's case we have an object.
Comment 8•16 years ago
|
||
This is similar to bug 329869 (scripts) and bug 305282 (images).
Blocks: lockicon
Summary: Flashblock makes Firefox identify partially encrypted pages as fully encrypted. → Dynamically loading Flash over http doesn't degrade lock icon state (e.g. when using FlashBlock)
Comment 10•7 years ago
|
||
This in fact got fixed by bug 329869.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 329869]
You need to log in
before you can comment on or make changes to this bug.
Description
•