After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 733038 - Implement active mixed-content blocking
Implement active mixed-content blocking
Status: RESOLVED NOTGNOME
Product: epiphany
Classification: Core
Component: General
git master
Other Linux
: Normal major
: ---
Assigned To: Michael Catanzaro
Epiphany Maintainers
Depends on:
Blocks: 721283
 
 
Reported: 2014-07-11 00:08 UTC by Michael Catanzaro
Modified: 2015-12-07 12:08 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
:) (83.59 KB, image/png)
2014-07-24 14:57 UTC, Michael Catanzaro 		  Details
Prohibit deletion of promotion type dialog (1.91 KB, patch)
2015-01-11 17:30 UTC, Michael Catanzaro 		none Details | Review

Description Michael Catanzaro 2014-07-11 00:08:25 UTC 
From David Gilmore in bug #726288: "modern browsers should refuse to load active content (javascript) from cleartext channels if they will be running in the context of an authenticated HTTPS origin; epiphany should also refuse to load active content from authentication-failed connections."

I agree.  All major browsers with the exception of Safari already block active mixed content. They also have UI for overriding this on a per-site basis, so I guess Epiphany should have that too. Firefox and Chrome both use shield icons in the address bar, and clicking on the shield allows the user to load the unsafe content. I think Internet Explorer has been blocking even passive mixed content for a long time now (several years), but I don't suggest this as neither Firefox nor Chrome do and it's still very common.

This is similar to bug #666808, but more strict: bug #666808 is for implementing mixed content *detection* for all mixed content, which is already supported by WebKitGTK+, whereas this bug is about preventing active mixed content from ever running.

Quick testcase: https://www.ssllabs.com/ssltest/viewMyClient.html
Comment 1 Daniel Kahn Gillmor 2014-07-11 02:00:09 UTC 
It's "Daniel Gillmor", not "David Gilmore" :)

Thanks for breaking this out as a distinct issue, Michael!
Comment 2 Michael Catanzaro 2014-07-11 02:10:59 UTC 
Whoops! Partial credit for the first two letters right?

I'm planning to propose new API in WebKitGTK+ to facilitate this.  I think the plumbing already exists, though it was only ever used by the Chromium port.
Comment 3 Michael Catanzaro 2014-07-24 14:57:51 UTC 
Created attachment 281603 [details]
:)

It will take a little while for me to get the required changes merged into WebKit, but it's coming....
Comment 4 Michael Catanzaro 2014-08-05 12:23:40 UTC 
See also http://w3c.github.io/webappsec/specs/mixedcontent/
Comment 5 Michael Catanzaro 2015-01-11 17:30:24 UTC 
Created attachment 294287 [details] [review]
Prohibit deletion of promotion type dialog

This works, but the downside is that I bet some window managers will show a close button even though mutter doesn't. And it's hacky, but I couldn't figure out any better way to intercept deletion with the Escape key.
Comment 6 Michael Catanzaro 2015-01-11 17:38:03 UTC 
Comment on attachment 294287 [details] [review]
Prohibit deletion of promotion type dialog

Yup wrong bug.
Comment 7 Michael Catanzaro 2015-12-07 12:08:22 UTC 
Fixed in WebKit