matteo sisti sette Reporter
	Description • 10 years ago

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140317233501

Steps to reproduce:

visit https://sede.seg-social.gob.es/Sede_1/Lanzadera/index.htm?URL=60


Actual results:

The attached warning is displayed. It warns me that the connection is untrusted.
I don't care because I trust the site, and I want to proceed anyway.

No "I understand the risks" button is shown, only a "take me away from here" button. So I cannot visit the page.


Expected results:

After the "take me away from here" button there should be a "I understand the risks" button. I have seen that thousands of times, so this is a regression.
A huge regression that makes Firefox unusable.

	Ioana (away)
	Comment 1 • 10 years ago

Reproducible on:
Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0

Considering the details in the Technical Details section, this might be expected tough. Perhaps someone in Security can help more here.

	matteo sisti sette Reporter
	Comment 2 • 10 years ago

Expected?
There's no conceivable case where one should not be allowed to choose to accept the risks and continue. You may want to place an extra or stronger warning about the dangers, or perhaps ask for a password or something, but you can't disallow visiting a page completely, no matter how insecure!!!

Btw how are the tecnical details different from other cases where the option to continue does exist?

	Ioana (away)
	Comment 3 • 10 years ago

(In reply to matteo sisti sette from comment #2)
> Btw how are the tecnical details different from other cases where the option
> to continue does exist?

Yes, for example: https://reddit.com/.

I might be wrong about your cause though, I'm not sure about it, which is why I'm waiting for someone from Security to comment here and not just closing it as invalid.

	matteo sisti sette Reporter
	Comment 4 • 10 years ago

Ok I can see the difference: one uses an invalid certificate, the other a certificate that is only valid for other domain names.

Still the "I understand the risks" option should exist, always, no matter what, it's as easy as that.

	Dana Keeler (she/her) (use needinfo) (:keeler for reviews)
	Comment 5 • 10 years ago

The untrusted certificate dialog does not allow overrides to be added if it is in an iframe due to click-jacking concerns. What you can do to add the override is right-click in the iframe, click "This Frame", and then "Show Only This Frame". This should make the untrusted connection show up in a top-level window context, where you can add an exception.

On a related note, it looks like the root for this site will be added in bug 435736, whereupon overrides will be unnecessary.

I'm resolving this "INVALID" which is an unfortunately harsh way of saying this is the intended behavior.

	matteo sisti sette Reporter
	Comment 6 • 10 years ago

OMG I didn't even know that was in a frame (btw not an iframe).

Some notice should be shown to let the user know how to access the content if he/she understand the risks. You can't expect the user to figure out or google about that.