Forums | MacLife
You are not logged in.
#1 2009-04-30 11:26 am
Overzealous Firefox and SSL issue
Firefox has some overzealous security related to ssl.
For example - they make you go through hoops to accept a self signed SSL certificate, which makes it a royal PITA if you have a linksys router or are using a self signed cert for web development.
Seems the latest firefox is even more zealous.
Maybe it is because I'm developing w/ a self signed cert - but after last update, all images vanished.
It seems the browser refuses to display images in a secure site that are hosted on another site - even if other site has same top level domain. Maybe it is because the domain was different (though TLD was the same - shastaherps.devel)
My self signed secure domain:
secure.shastaherps.devel
domain for images:
www.shastaherps.devel
I put the images in the secure domain and they worked again.
Anyway - thought I'd give a heads up for those of you with secure domains, you might want to test whether or not your images load in FireFox 3.0.10
No - not a code issue - images worked fine in opera.
Last edited by resedit (2009-04-30 11:31 am)
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#2 2009-04-30 11:30 am
Re: Overzealous Firefox and SSL issue
btw - I'm going to investigate it further, but that's clearly a bug - it is valid html to link to an image on another domain so firefox should display it, it's not their job to play nanny - users who want that restriction for their own protection when viewing ssl sites can add a plugin that puts that restriction.
I have to make sure though that it isn't the result of one of my existing add-ons (IE noscript ??) before I tear the mozilla developers a new one for breaking the web.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#3 2009-04-30 11:44 am
- Nefarious
- Tuning Fork
- Moderator
- From: 45°22"N 84°57"W
- Registered: 2002-09-30
- Posts: 7998
Re: Overzealous Firefox and SSL issue
::: subscribes to thread :::
Offline
#4 2009-05-01 2:24 am
Re: Overzealous Firefox and SSL issue
It seems the justification is that FireFox puts a secure lock telling the user the page is insecure.
However, if the page contains insecurely transmitted content (image, iframe, whatever) the lock could mis-lead the user.
Another issue is that the linked image may not be an image at all, but use various trickery to result in execution of javascript that can result in bad xss stuff, like session id theft.
So - I suppose even though html allows a secure page to incorporate insecure cross domain stuff, the prevalence of cross domain exploits make the simplest solution to protect the user be to just forbid it in a secure site.
The feeling I get when reading the various browser developer blogs is that the web is far too insecure with little the user can do to protect themselves from websites that have holes allowing cross site injection, web browsers need to be anal or else the web can not be a safe place for financial transactions.
I guess I can see that point.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
#5 2009-05-01 2:28 am
Re: Overzealous Firefox and SSL issue
Oh - and it looks like in the future, dhtml may be restricted - doesn't even seem to be a proof of concept implementation, but it looks like browsers may enforce a policy requiring the web developer to specify the scope of what parts of a document can be modified by dhtml, thus making it much more difficult to injected scripts to do some of the things they do.
In her right hand Jenny held the Bible of her mother
Jenny had a pistol in the other
-- Steve Taylor
Offline
