Re: [websec] Strict-Transport-Security and mixed-content warnings

[Tanvi Vyas <tanvi@mozilla.com>]

Firefox's Mixed Content Blocker is enabled by default in Firefox 23+.  
It will block Mixed Active Content, but allow Mixed Passive Content 
(unless the user explicitly turns it off by setting 
security.mixed_content.block_display_content to true).

If an HSTS site includes Mixed Active Content, we will block the content 
by default.  As Ryan mentioned, a user without HSTS protections is still 
at risk.  This is discussed in detail in this blog post: 
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23/#Appendix. 
This has actually been a problem for our own mozilla sites, since many 
of them have set the HSTS header but haven't updated their content.  We 
are working with them to update their websites and replace http:// links 
with their https:// equivalents.

Note that our definitions of Mixed Active and Mixed Passive are slightly 
different than Chrome's and IE's.  Some of these differences are also 
discussed in the blog post 
(https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-firefox-23).

Thanks!

~Tanvi



On 5/22/13 3:52 PM, Ryan Sleevi wrote:
> On Wed, May 22, 2013 2:56 pm, Daniel Kahn Gillmor wrote:
>>   hi websec folks--
>>
>>   I am wondering what people think the proper intersection is between a
>>   web browser's mixed-content warnings and HSTS.
>>
>>   For example, if https://example.net has asserted
>>   Strict-Transport-Security: max-age=15768000 but the homepage at
>>   https://example.net/ also contains
>>
>>     <img src="http://example.net/example.jpg"/>
>>
>>   should an HSTS-compatible browser show its standard mixed-content
>>   warning even though it knows to rewrite that img src to
>>   https://example.net/example.jpg ?
>>
>>   My intuition is that this shouldn't trigger the browser's mixed-content
>>   warning, but chromium 26.0.1410.43 does show it, and
>>
>>    https://code.google.com/p/chromium/issues/detail?id=122548#c26
>>
>>   suggests that palmer@ and rsleevi@ think that is the correct behavior
>>   because they want:
>>
>>> to signal to the site author of an error - for example, if users which
>>> did not have HSTS visited.
>>   I'm not sure how the author is supposed to get this signal from the site
>>   visitor's browser, though -- perhaps the expectation is that site
>>   visitors will independently report the "broken lock" to the site
>>   administrator?
> Yes.
>
> The view is that it's still a legitimate error for the site operator, in
> that any user without HSTS protections (or with expired HSTS) is still at
> risk. While HSTS may be providing protection to the user, the site itself
> is still configured to serve resources insecurely, thus we still surface
> it as user visible.
>
>
>>   I also note that firefox 21.0 (when
>>   security.mixed_content.block_display_content = true) doesn't show the
>>   media at all, and when security.mixed_content.block_display_content =
>>   false it shows the image but removes the lock from the address bar
>>   (which i think is the equivalent of the "mixed content warning" these
>>   days).
> I believe the Firefox behaviour is an artifact of their current (partial)
> implementation of mixed content blocking. According to
> https://blog.mozilla.org/security/2013/05/16/mixed-content-blocking-in-firefox-aurora/
> , future versions should distinguish between active and passive content,
> and thus more closely mirror the Chromium behaviour by default (namely,
> that it will block active content, but not passive content)
>
>>   Do other folks have any thoughts about the right thing is to do here?
>>
> ISTM that UI behaviours are largely outside the realm of what the IETF
> standardizes.
>
> That said, certainly feedback is welcomed on this, and I would love to see
> consistent handling (which, AFAIK, we will soon have). I'm just not sure
> if this is really a "spec issue".
>
> _______________________________________________
> websec mailing list
> websec@ietf.org
> https://www.ietf.org/mailman/listinfo/websec