Closed
Bug 1484753
(CVE-2018-12403)
Opened 6 years ago
Closed 6 years ago
Firefox doesn't mark sites with http favicons as mixed content
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
RESOLVED
FIXED
Firefox 63
People
(Reporter: yigitcnyilmaz, Assigned: mossop)
Details
(Keywords: sec-low, Whiteboard: [post-critsmash-triage][adv-main63+])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36 Steps to reproduce: 1- Open the Firefox 2- Go this website : https://mixed-favicon.badssl.com/ Actual results: Although a web page icon loads as http, it may appear secure. proof of concept: proof.mov Expected results: Please look at the https://mixed-favicon.badssl.com's source code. You can see favicon icon as https. But if you open favicon file, it' redirecting to http page. This means : favicon file loading as http. This means : web page is not secure. But Firefox show web page as secure
Comment 1•6 years ago
|
||
I can't reproduce this, the mixed content UI shows fine for me. What version of Firefox are you using?
Flags: needinfo?(yigitcnyilmaz)
Comment 3•6 years ago
|
||
Hmm, seems like this got fixed in Nightly, I can reproduce on Beta and Release as well. Would you mind testing this in Firefox Nightly and see if the issue is fixed for you? Thanks!
Flags: needinfo?(yigitcnyilmaz)
Reporter | ||
Comment 4•6 years ago
|
||
Hello, Yes. Fixed with nightly version. But I can reproduce on Firefox iOS. Can i create a different report for this ? Thanks!
Flags: needinfo?(yigitcnyilmaz)
Comment 5•6 years ago
|
||
(In reply to Yiğit Can YILMAZ from comment #4) > Hello, > Yes. Fixed with nightly version. But I can reproduce on Firefox iOS. Can i > create a different report for this ? > > Thanks! Yes, it's preferable to create another bug for Firefox for iOS. Bugzilla has a separate component for this. Thanks! I'm closing this bug as worksforme then, I'm not removing the security flag until we know that the bug that resolved this isn't s-s either. Maybe jkt or ckerschb know what fixed this.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: Untriaged → Security
Resolution: --- → WORKSFORME
Updated•6 years ago
|
Summary: firefox http on https → Firefox doesn't mark sites with http favicons as mixed content
Comment 6•6 years ago
|
||
I expect this will have been fixed by Mossop's changes to favicon loading. We may want to mark this bug fixed and set the relevant affected/fixed versions.
Flags: needinfo?(dtownsend)
Assignee | ||
Comment 7•6 years ago
|
||
(In reply to :Gijs (he/him) from comment #6) > I expect this will have been fixed by Mossop's changes to favicon loading. > We may want to mark this bug fixed and set the relevant affected/fixed > versions. My changes didn't land until 63 though and this claimed to have been resolved in 61. Do we have a test in tree for this case? It's possible my change may have affected this.
Flags: needinfo?(dtownsend) → needinfo?(jhofmann)
Reporter | ||
Comment 8•6 years ago
|
||
Hello, this problem can be reproduced in 61.0.2. If you want to demonstrate you can see "proof.mov" in attachments. But this problem can not be reproduced in the "nightly" version. I can not reproduced in the nightly version. Also, this problem is reproducible for firefox iOS(13.1). I created a new report for iOS . You can see https://bugzilla.mozilla.org/show_bug.cgi?id=1484916 . Best Regards, Yiğit
Comment hidden (off-topic) |
Updated•6 years ago
|
status-firefox61:
--- → affected
status-firefox62:
--- → affected
status-firefox63:
--- → fixed
Flags: needinfo?(jhofmann)
Version: 61 Branch → unspecified
Comment 10•6 years ago
|
||
(In reply to Dave Townsend [:mossop] from comment #7) > (In reply to :Gijs (he/him) from comment #6) > > I expect this will have been fixed by Mossop's changes to favicon loading. > > We may want to mark this bug fixed and set the relevant affected/fixed > > versions. > > My changes didn't land until 63 though and this claimed to have been > resolved in 61. Do we have a test in tree for this case? It's possible my > change may have affected this. To clarify, this is fixed in Nightly (63) and broken in 61 and 62, so that sounds a lot like your patch fixed it. I don't think we have a test for it yet, since that test would have been broken until your change. It would be a good idea to write one.
Comment hidden (off-topic) |
Assignee | ||
Comment 12•6 years ago
|
||
(In reply to Yiğit Can YILMAZ from comment #11) > Hello, > Can you fix it for firefox iOS ? No one responded to my "firefox for iOS" > report Unfortunately no-one involved in this conversation is an iOS engineer. I'm afraid you just need to wait till someone from the iOS side of things looks into your report.
Assignee | ||
Comment 13•6 years ago
|
||
Assignee | ||
Comment 14•6 years ago
|
||
Let's use this to get a test landed.
Assignee: nobody → dtownsend
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
Comment 15•6 years ago
|
||
Comment on attachment 9002841 [details] Bug 1484753: Loading an insecure favicon should make the page show as mixed content. r=johannh :Gijs (he/him) has approved the revision.
Attachment #9002841 -
Flags: review+
Comment 16•6 years ago
|
||
Comment on attachment 9002841 [details] Bug 1484753: Loading an insecure favicon should make the page show as mixed content. r=johannh Johann Hofmann [:johannh] has approved the revision.
Attachment #9002841 -
Flags: review+
Comment 17•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/1cba447409917569d3d44d814fd13ba2e6244006 https://hg.mozilla.org/mozilla-central/rev/1cba44740991
Group: firefox-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 6 years ago → 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 63
Comment 18•6 years ago
|
||
This sounds like a sec-low that's riding the trains, but feel free to correct that if I'm misunderstanding.
status-firefox-esr52:
--- → wontfix
status-firefox-esr60:
--- → wontfix
Flags: in-testsuite+
Keywords: sec-low
Comment 19•6 years ago
|
||
I agree with that assessment.
Comment 20•6 years ago
|
||
(And there may be a public dupe of this somewhere).
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment hidden (offtopic) |
Comment 28•6 years ago
|
||
(In reply to Yiğit Can YILMAZ from comment #21) > Can you give me bug bounty ? and can you add me hall of fame ? Our bug bounty program is described at https://www.mozilla.org/en-US/security/client-bug-bounty/ I'll go ahead and tag this bug for evaluation but sec-low bugs generally don't qualify.
Flags: needinfo?(dtownsend) → sec-bounty?
Comment 29•6 years ago
|
||
The bounty committee agrees that this does not qualify for a reward
Flags: sec-bounty? → sec-bounty-
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•6 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main63+]
Updated•6 years ago
|
Alias: CVE-2018-12403
Updated•5 years ago
|
Group: core-security-release
Updated•4 years ago
|
Flags: sec-bounty-hof+
You need to log in
before you can comment on or make changes to this bug.
Description
•