Blocking mixed content with ABE/FF18... a problem (?)
Posted: Mon Jan 21, 2013 11:50 pm
I just updated (clean install) to FF 18.0.1 and I'm using the same configuration I've been using for awhile (latest Flash is the only plugin, various common privacy extensions, fairly extensive autoconfig lock down, XP SP3). I'm looking into mixed content blocking and am seeing something unexpected.
Test #1 Config
Key firefox prefs...
security.warn_viewing_mixed;true
security.warn_viewing_mixed.show_once;false
security.mixed_content.block_active_content;false // Just testing ABE for now
security.mixed_content.block_display_content;false // Just testing ABE for now
plugins.click_to_play;true
ABE user rule...
Site http:
Deny from https:
Test #1 Description
Wireshark is running, looking for HTTP requests. Fire up FF18, visit https://www.youtube.com. When viewing various video pages I didn't see any unexpected HTTP requests. However, if I click "Click here to activate the Adobe Flash plugin" to play videos, I frequently do see unexpected HTTP requests (and get no Firefox warnings about viewing mixed content). More specifically...
Sometimes the video doesn't play ("An error occurred, Please try again later") and I see no HTTP requests. Sometimes the video doesn't play but I see a request for _http://blahblahab5l.c.youtube.com/crossdomain.xml. Sometimes the video does play and I see a request for _http://blahblahab5l.c.youtube.com/crossdomain.xml and also a request for _http://blahblahab5z.c.youtube.com/videoplayback?algorithm=throttle-factor&....
I'm not sure if this is a bug or a known "can't detect/block Flash HTTP requests via Firefox API" limitation or something specific to my config. Does this ring any bells? Have any of you seen this behavior? Any suggestions on how I might thoroughly block the mixed content? I'm fine with breaking sites as long as I can back off on a case by case basis. Thanks in advance.
Test #1 Config
Key firefox prefs...
security.warn_viewing_mixed;true
security.warn_viewing_mixed.show_once;false
security.mixed_content.block_active_content;false // Just testing ABE for now
security.mixed_content.block_display_content;false // Just testing ABE for now
plugins.click_to_play;true
ABE user rule...
Site http:
Deny from https:
Test #1 Description
Wireshark is running, looking for HTTP requests. Fire up FF18, visit https://www.youtube.com. When viewing various video pages I didn't see any unexpected HTTP requests. However, if I click "Click here to activate the Adobe Flash plugin" to play videos, I frequently do see unexpected HTTP requests (and get no Firefox warnings about viewing mixed content). More specifically...
Sometimes the video doesn't play ("An error occurred, Please try again later") and I see no HTTP requests. Sometimes the video doesn't play but I see a request for _http://blahblahab5l.c.youtube.com/crossdomain.xml. Sometimes the video does play and I see a request for _http://blahblahab5l.c.youtube.com/crossdomain.xml and also a request for _http://blahblahab5z.c.youtube.com/videoplayback?algorithm=throttle-factor&....
I'm not sure if this is a bug or a known "can't detect/block Flash HTTP requests via Firefox API" limitation or something specific to my config. Does this ring any bells? Have any of you seen this behavior? Any suggestions on how I might thoroughly block the mixed content? I'm fine with breaking sites as long as I can back off on a case by case basis. Thanks in advance.