Closed
Bug 552789
Opened 15 years ago
Closed 10 years ago
Mixed-content warning fires inappropriately when following links from some http pages to https pages
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 947079
People
(Reporter: debrino, Unassigned)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [psm-padlock])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 When going directly to a secured page, the SSL cert is properly engaged and page loads without any warnings. However, when going to this same secure page VIA a hyperlink from a different page, a warning is thrown: "You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party." Some interesting facts: 1. This is only happening in Firefox .. not IE, Opera or Safari. 2. After receiving the aforementioned warning, merely clicking REFRESH resolves the issue and the page loads with SSL fully engaged. 3. Going directly to the page in question with HTTPS specified causes page to properly load with SSL fully engaged. Reproducible: Always Steps to Reproduce: TO SEE WARNING: 1. Visit http://www.foapom.com/site/events.asp 2. Click ORDER NOW for the Pageant event. 3. Arrive at HTTPS://www.foapom.com/order/tickets1.asp?ccd=pom 4. Note that (1) mixed encryption warning received unless you have it suppressed and (2) SSL is not fully engaged. 5. Click REFRESH - warning goes away and page/SSL loads properly TO SEE NO WARNING / PAGE LOAD DIRECTLY: 1. Open a fresh browser window 2. Visit HTTPS://www.foapom.com/order/tickets1.asp?ccd=pom 3. Note that page/SSL loads without any issues. I have inspected the underlying code, using conventional means as well as Firebug with Codeburner add-on. All images, JavaScript variables, and similar resources are referring/defaulting to HTTPS protocol, when visiting the tickets1.asp page mentioned in above steps.
I think I see the issue. Please advise if this is still improperly handled by Firefox: NOTE: Timing is key, to reproduce this issue. 1. Visit http://www.foapom.com 2. WHILE THE wibiya toolbar (bottom of browser window) is still loading / fetching resources, PASTE *any* SECURE PAGE into the address bar and press enter. For example, use: https://registration.weather.com/ursa/wow/step2 If you do step 2 WHILE Firefox's status bar shows activity "Connecting to toolbar2.wibiya.com", Firefox will throw the warning AND not fully engage the SSL. Otherwise, Firefox will not have any issues and will fully engage the SSL. Please advise - what the heck is going on here?! I hope my research is helpful. Paul
Note that www.wibiya.com offers an optional settings "Activate Toolbar After Page Load -- This option will make the toolbar load only after your page is fully loaded." I may try enabling that, once your team has first reviewed this issue to see if Firefox could have handled it better.
My apologies; this issue persists, despite changing the Wibiya toolbar option. Moreover, the "Steps To Reproduce" as described in my initial post for this bug have NOTHING to do with the homepage which is the only place the wibiya toolbar is included / showing.
I am able to reproduce this issue on various computers running Firefox 3.6: NOTE: Timing is key, to reproduce this issue. 1. Visit http://www.foapom.com 2. WHILE THE wibiya toolbar (bottom of browser window) is still loading / fetching resources, PASTE *any* SECURE PAGE into the address bar and press enter. For example, use: https://registration.weather.com/ursa/wow/step2 If you do step 2 WHILE Firefox's status bar shows activity "Connecting to toolbar2.wibiya.com", Firefox will throw the warning AND not fully engage the SSL. Otherwise, Firefox will not report any issues and will fully engage the SSL. I am not 100% certain of the timing issue being the cause. Regardless, I am able to move from www.foapom.com to anyone's HTTPS: page and *sometimes* get the warning and other times not (always using the same HTTPS page during this case testing). Please let me know if I can offer any additional insight.
Perhaps you may find this helpful as well: 1. Open new Firefox browser .. or new tab. 1. Go to http://www.weather.com 2. Regardless of it completely loading, click the "sign in" HYPERLINK (top-right) 3. On next page, IMMEDIATELY click the "sign in" BUTTON 4. If your timing is good, you'll get the SAME error I am discussing in this bug report. This proves the issue is not related to FOAPOM.COM but rather the way Firefox is handling a page-load-in-progress interrupted by a URL change. Additionally, I noticed that Firefox CONTINUES to try loading resources from a page that I ABANDONED using BACK button: 1. Go to http://www.foapom.com 2. In the URL, type or paste https://registration.weather.com/ursa/login 3. Press BACK button 4. Note that Firefox status bar still reporting a connection to "x.weather.com" I apologize for the multiple posts but I am sincerely trying to provide as much proof as possible. I am done at this point and await your feedback. Thanks.
|
||
Comment 6•15 years ago
|
||
Might be bug 506008 or bug 492358.
Blocks: lockicon
Group: core-security
Summary: SSL certificate not properly engaging → Mixed-content warning fires inappropriately when following links from some http pages to https pages
|
||
Updated•15 years ago
|
Whiteboard: [psm-padlock]
|
||
Updated•14 years ago
|
Version: unspecified → 3.6 Branch
|
||
Comment 7•11 years ago
|
||
I can reproduce the problem with STR of comment#4 in http://hg.mozilla.org/mozilla-central/rev/c0830a5933e8 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20130709 Firefox/25.0 ID:20130709030204
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 8•11 years ago
|
||
I am not able to reproduce this issues, and I'm unclear about what the bug is. The icon isn't updated quickly enough between page loads? Alice, you mentioned you could reproduce. Can you provide more details? (In reply to Paul from comment #5) > 1. Go to http://www.foapom.com > 2. In the URL, type or paste https://registration.weather.com/ursa/login > 3. Press BACK button > 4. Note that Firefox status bar still reporting a connection to > "x.weather.com" > What do you mean by it is still reporting a connection to x.weather.com? The url bar still says x.weather.com? Thanks!
|
|
||
Comment 9•11 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #8) > I am not able to reproduce this issues, and I'm unclear about what the bug > is. The icon isn't updated quickly enough between page loads? > > Alice, you mentioned you could reproduce. Can you provide more details? > STR is mentioned in comment#4. 1. Go to http://www.foapom.com 2. WHILE thurber(tab icon) is still gray spinning, <- timing is important Go to https://registration.weather.com/ursa/wow/step2 Actual Results: Gray the earth icon displayed in location bar Expected Results: Padlock icon should display in location bar
|
||
Updated•11 years ago
|
|
|
||
Comment 10•10 years ago
|
||
This looks like a duplicate of bug 947079, which was fixed in Firefox 39.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•