InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

Forced HTTPS vs mixed content

https://forums.informaction.com/viewtopic.php?t=15436

Page 1 of 1

Forced HTTPS vs mixed content

Posted: Tue Jun 25, 2013 3:22 pm
by ultramage
NoScript has a feature in its advanced section to force certain domains to always go over HTTPS.
Firefox 23+ has a feature to block mixed content (plaintext requests from HTTPS origin).

Problem no. 1: even if I use NoScript's HTTPS forcing feature, Firefox won't show the padlock and still complains about mixed content.
Problem no. 2: if I turn on the mixed content blocker, it runs first and blocks everything before NoScript gets a chance to do its rewriting.

Any thoughts on how to proceed to make these work? Ideally I'd prefer if Firefox had a built-in force https feature, but since it doesn't, NoScript's is the next best thing, but right now it's interacting with Firefox in this undesirable way.

Re: Forced HTTPS vs mixed content

Posted: Tue Jun 25, 2013 5:28 pm
by therube
> no. 1:

URL where this occurs?


Reference: Bug 844556 - [tracking] compatibility issues with mixed content blocker on non-Mozilla websites

Re: Forced HTTPS vs mixed content

Posted: Tue Jun 25, 2013 11:11 pm
by Thrawn
Just checking: are all of the resources actually being caught by the Force HTTPS feature? Ie you're definitely catching all of the affected domains?

Re: Forced HTTPS vs mixed content

Posted: Thu Mar 13, 2014 6:20 am
by mattmccutchen
I have the same problem on https://www.elmoto.net/ : specifically, CSS files show mixed content errors, while js, png, and gif files all seem to be redirected fine. I'm using NoScript 2.6.8.17 with Firefox 27.0.1 (Fedora 20), and I have a HTTPS rule for www.elmoto.net . The Firebug console shows (one line removed because it tripped the forum spam filter):
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"
Blocked loading mixed active content "http://www.elmoto.net/clientscript/vbul ... 1391981016"

Re: Forced HTTPS vs mixed content

Posted: Thu Mar 13, 2014 2:34 pm
by Giorgio Maone
Looking for a work around, thanks.

Re: Forced HTTPS vs mixed content

Posted: Fri Mar 14, 2014 12:25 am
by Thrawn
Maybe Firefox should give users the option of either blocking mixed content or forcing it to HTTPS (which will have the same effect if HTTPS is not available, but will fix the problem when it is available).

Anyone know whether there is a bug for this?

EDIT: Bug is here.

Re: Forced HTTPS vs mixed content

Posted: Fri Mar 14, 2014 12:31 am
by Thrawn
Well, there is this bug, which points out that the same issue occurs with "mixed content" that is actually secured by HSTS.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited