Comments (4)
I think Firefox is currently experimenting with upgrading mixed content. I'm not sure what the state of that is though, but it's possible that caused upgrades to occur. What behavior are you seeing on BadSSL that seems wrong?
from badssl.com.
What behavior are you seeing on BadSSL that seems wrong?
Firefox gets a red screen, with the text "This page has run active mixed content (a script from an insecure URL)", despite never making a network request to a http site.
from badssl.com.
My best guess (without details about your Firefox installation and any active experiments) is that Firefox is auto-upgrading blockable mixed content -- IIRC this was the behavior of their experimental implementation at least at some point in the past (https://bugzilla.mozilla.org/show_bug.cgi?id=1672106#c7).
If the script loads at all, the test page will turn to the "error" state (https://mixed-script.badssl.com/nonsecure.js). If Firefox is upgrading the script to HTTPS then this is technically in violation of the Mixed Content Level 2 spec (https://w3c.github.io/webappsec-mixed-content/level2.html#category-upgradeable).
I think the test case is working as expected here, but it might be possible to make it a bit more robust in the face of upgrades if the JS queries how it was loaded instead of unconditionally -- maybe using document.currentScript.src
? I don't know if that will consistently get the rewritten URL or if it is set based on the source document only. Happy to accept a PR that adds that, but it feels low priority as this is unexpected non-spec-compliant behavior.
from badssl.com.
please assign me the issue
from badssl.com.
Related Issues (20)
- ECC Certs Expired HOT 1
- EV cert has just expired as well HOT 1
- null.badssl.com does not offer NULL cipher suites, does offer non-NULL cipher suites HOT 1
- Request: add DSA certificate HOT 1
- Certificate https://revoked.badssl.com/ has expired HOT 7
- Expired Certificate: extended-validation.badssl.com HOT 2
- thank you support this test web, I create a project domain-admin
- The certificate expires HOT 4
- Certificate expired: https://incomplete-chain.badssl.com/ HOT 1
- Certificate expired: captive-portal.badssl.com
- Certificate expired: badssl.com HOT 2
- how to use the badssl docker image with custom DNS name not badssl.test server for testing purposes ? HOT 2
- Add certificate with a too long validity period (>397/398 days & >825 days) HOT 2
- Expired certificate for incomplete-chain.badssl.com HOT 3
- As badssl.com seems dead - any recommended alternatives? HOT 3
- Error installing rubygems-update: rubygems-update requires Ruby version >= 3.0.0.
- sdgsg
- Expired Certificate For rsa8192.badssl.com HOT 2
- revoked.badssl.com no longer triggering revoked error across most browsers after renewal HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from badssl.com.