Open Bug 1405000 Opened 8 years ago Updated 3 years ago

Noscript tags containing HTTP link / resource on https pages trip the mixed content blocker even when JS is enabled and noscript content is unused

Categories

(Core :: DOM: Security, defect, P3)

Product:
Core
Component:
DOM: Security
Version:
57 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: firefox, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:55.0) Gecko/20100101 Firefox/55.0 Build ID: 20170919185010 Steps to reproduce: Go to HTTPS page that has <noscript> tag with HTTP link / resource. Firefox will break the SSL lock and complain about broken HTTPS. This should not happen, if Javascript is enabled, as <noscript> part is never run (used). Actual results: HTTPS lock broken (yellow) Expected results: HTTPS respected (green lock)
Version: 55 Branch → 57 Branch
Component: Untriaged → Security

Another bug that got a bit lost.

Component: Security → DOM: Security
Flags: needinfo?(ckerschb)
Product: Firefox → Core
Summary: HTTPS broken when noscript tags contain HTTP link / resource → Noscript tags containing HTTP link / resource on https pages trip the mixed content blocker even when JS is enabled and noscript content is unused

Yeah, that seems possible - has to go into the backlog though.

Blocks: MixedContentBlocker
Flags: needinfo?(ckerschb)
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.