InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

HTTPS enforcement broken for page resources

https://forums.informaction.com/viewtopic.php?t=21802

Page 1 of 2

HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 5:00 pm
by Meee
I don't know since when, but I have noticed the HTTPS enforcement no longer works for page resources.

Test procedure:
1. Set "security.mixed_content.block_display_content" to "true" in about:config.
2. Place ".informaction.com" (without the quotes) into the HTTPS enforcement field (as the only entry for this test, many more are used normally)
3. Navigate to http://www.informaction.com/

Expected results:
3. Page and all resources covered by ".informaction.com" are redirected to HTTPS and loaded

Actual results:
3. The page itself gets redirected and loaded correctly, but all affected resources don't get loaded. The HTTPS lock icon shows a warning triangle ("Firefox has blocked parts of this page that are not secure"). The Browser Console shows 'Blocked loading mixed active content "http://www.informaction.com/data/oss.css"', and similar for all the other resources.

Another affected site, e.g.: http://ubuntuforums.org/.

Firefox 45.0 as provided by Linux Mint 17.1, 64 bit
NoScript 2.9.0.10 from the Mozilla Addons repository.

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 6:16 pm
by barbaz
On https://www.informaction.com/, I'm getting HTTP/404 response for those resources you say aren't loading...
(This does not happen on the plain http site)

Can you please explain more how is this a NoScript issue?

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 8:03 pm
by Meee
In other words, you can't reproduce it. Since the "HTTP/404 response" is not what I reported. In my case, the requests are never sent.

Could you try http://ubuntuforums.org/ instead (placing ".ubuntuforums.org" into the HTTPS enforcement field)? That one allows resource load over HTTPS. It's where I saw it originally, and then noticed the same on http://www.informaction.com/ and used the latter in the report.

Thanks!

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 8:20 pm
by barbaz
Meee wrote:In other words,
... I didn't do step 1 of the posted STR. Because I was checking for something like the HTTP/404 responses, and NoScript is anyway independent of browser's strict HTTPS features.
Meee wrote:In my case, the requests are never sent.
Probably because the browser outright blocks the requests before NoScript even sees them. I have confirmed that this is the case using HTTPFox.

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 8:48 pm
by Meee
Thanks for looking into this!

This looks like a recent change in Firefox, because it used to work before. Last time I checked is a few months ago, I think (I use stable releases only).

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 10:12 pm
by Meee
Actually, this seems to be due to a change in NoScript. I tested with Iceweasel 43, and NoScript up to version 2.9.0.6 works, while 2.9.0.7rc2 and later doesn't. So that it seems to be due to the following change in its version history:
x [HTTPS] Removed legacy redirection methods when redirectTo()
is available in HTTP channels, fixing YouTube embedding
problem

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 10:25 pm
by barbaz
That's just weird, because this is what I see in the Browser Console following your STR on ubuntuforums:

Code: Select all

[NoScript HTTPS] Redirected Channel https://ubuntuforums.org/
[NoScript HTTPS] AUTOMATIC SECURE on https://ubuntuforums.org: bb_sessionhash=[Redacted]; domain=.ubuntuforums.org; path=/; HttpOnly; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://ubuntuforums.org: bb_lastvisit=[Redacted]; domain=.ubuntuforums.org; path=/; Secure
[NoScript HTTPS] AUTOMATIC SECURE on https://ubuntuforums.org: bb_lastactivity=[Redacted]; domain=.ubuntuforums.org; path=/; Secure
Blocked loading mixed active content "http://ubuntuforums.org/css.php?styleid=117&langid=3&d=***&td=ltr&sheet=bbcode.css,editor.css,popupmenu.css,reset-fonts.css,vbulletin.css,vbulletin-chrome.css,vbulletin-formcontrols.css,"[Learn More] ubuntuforums.org
Blocked loading mixed active content "http://fonts.googleapis.com/css?family=Ubuntu:400,400italic,700,700italic|Ubuntu+Mono:400,700"[Learn More] ubuntuforums.org
Blocked loading mixed active content "http://ubuntuforums.org/css.php?styleid=117&langid=3&d=***&td=ltr&sheet=forumbits.css,forumhome.css,options.css"[Learn More] ubuntuforums.org
Blocked loading mixed active content "http://ubuntuforums.org/css.php?styleid=117&langid=3&d=***&td=ltr&sheet=additional.css"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/ubuntulogo-o-small.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/misc/navbit-home.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/buttons/collapse_40b.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_link-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/misc/forum_stats.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/misc/legend.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-16.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-16.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_link-16.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/images/ubuntu-VB4/buttons/search.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "http://ubuntuforums.org/favicon.ico"[Learn More] tabbrowser.xml:1186:0
Those blockings are definitely coming from the browser, not NS. (I'm not necessarily saying that NS doesn't need changing, just that it's not the culprit here.)

Re: HTTPS enforcement broken for page resources

Posted: Tue Apr 05, 2016 10:29 pm
by barbaz
Meee wrote:Actually, this seems to be due to a change in NoScript.
Can you please compare HTTPFox logs with a "working" NoScript and latest NoScript, on ubuntuforums?

Re: HTTPS enforcement broken for page resources

Posted: Wed Apr 06, 2016 12:34 am
by Thrawn
Reproducible here. I've noticed several other pages breaking over the past few days, too.

Barbaz, you're running with httpsDefWhitelist disabled, right?

Forcing HTTPS on .informaction.com, I get a broken page and a bunch of:

Code: Select all

Loading mixed (insecure) display content "http://www.informaction.com/data/iasw.jpg" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data/donate2.gif" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data/flashgot/logo.png" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data/noscript/noscript-10years-small.png" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data/spedifax/logo.png" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data/pop3trap/logo.png" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data//badge-flashgot.png" on a secure page[Learn More] RemoteAddonsParent.jsm:763:269
Loading mixed (insecure) display content "http://www.informaction.com/data//badge-noscript.png" on a secure page[Learn More]

Re: HTTPS enforcement broken for page resources

Posted: Wed Apr 06, 2016 1:05 am
by barbaz
Thrawn wrote:Barbaz, you're running with httpsDefWhitelist disabled, right?
Yes
Thrawn wrote:Forcing HTTPS on .informaction.com, I get a broken page and a bunch of:
Those messages indicate that the browser isn't blocking mixed content. It's needed to set the browser to block mixed content in order to see what Meee is describing. Try ubuntuforums instead, the effect is much more pronounced there.

Re: HTTPS enforcement broken for page resources

Posted: Wed Apr 06, 2016 3:23 am
by Thrawn
Well, the InformAction page does look very broken...

Re: HTTPS enforcement broken for page resources

Posted: Wed Apr 06, 2016 12:07 pm
by Meee
barbaz wrote:Can you please compare HTTPFox logs with a "working" NoScript and latest NoScript, on ubuntuforums?
I don't know, but HTTPFox seems to offer less functionality then the Firefox's built-in Network tool as well as not being actively maintained. And I don't see any browser-add-on interaction with it.

Anyway, with a virgin Firefox Profile (only Flash disabled, "security.mixed_content.block_display_content" set to "true" and ".ubuntuforums.org" configured for NoScript's HTTPS enforcement), Firefox 45.0 of Linux Mint 17.1, 64 bit (I had to replace "http" below with "hxxp" to pass the forum's anti-spam filter):

- NoScript 2.9.0.6 works - page resources are loaded. HTTPFox logs following loads:

Code: Select all

00:00:53.452 0.879 375 (7302) GET (Cache) text/html hxxps://ubuntuforums.org/
00:00:54.483 1.109 610 16361 GET 200 text/css hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=bbcode.css,editor.css,popupmenu.css,reset-fonts.css,vbulletin.css,vbulletin-chrome.css,vbulletin-formcontrols.css,
00:00:54.516 1.195 535 3058 GET 200 text/css hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=forumbits.css,forumhome.css,options.css
00:00:54.540 1.215 510 4589 GET 200 text/css hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=additional.css
00:00:54.563 1.442 496 5082 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/ubuntulogo-o-small.png
00:00:54.591 1.445 494 555 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/navbit-home.png
00:00:54.633 1.432 498 656 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/collapse_40b.png
00:00:54.657 1.452 501 2234 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-48.png
00:00:54.682 1.468 504 746 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png
00:00:54.707 1.478 504 746 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
00:00:54.734 1.550 500 654 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png
00:00:54.769 1.553 501 1982 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-48.png
00:00:54.791 1.562 505 787 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_link-48.png
00:00:54.812 1.596 501 746 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old.png
00:00:54.834 1.602 494 802 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/forum_stats.png
00:00:54.854 1.890 489 718 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/legend.png
00:00:54.876 1.890 501 746 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-16.png
00:00:54.897 1.888 501 746 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-16.png
00:00:54.922 2.267 502 787 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_link-16.png
00:00:55.758 1.471 556 2208 GET 200 image/gif hxxps://ubuntuforums.org/images/ubuntu-VB4/bg_dotted.gif
00:00:55.779 4.269 572 943 GET 200 image/png hxxps://wiki.ubuntu.com/moin_static192/light/images/orangeheader-tile.png
00:00:55.804 1.464 657 430 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/arrow.png
00:00:55.853 1.444 591 412 GET 200 image/png hxxps://ubuntuforums.org/images/gradients/gradient-greytowhite.png
00:00:55.948 1.404 492 525 GET 200 image/png hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/search.png
00:01:00.050 1.031 4294 129 POST 200 application/octet-stream hxxps://incoming.telemetry.mozilla.org/submit/telemetry/0167bc50-f520-408b-b654-0cfa9058c82a/main/Firefox/45.0/release/20160309193552?v=4
00:01:00.581 0.298 439 721 POST 200 application/ocsp-response hxxp://ocsp.digicert.com/
The Browser Console shows:

Code: Select all

TypeError: dataSections[u] is undefined HttpFoxService.js:2037:11
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=bbcode.css,editor.css,popupmenu.css,reset-fonts.css,vbulletin.css,vbulletin-chrome.css,vbulletin-formcontrols.css,
Blocked loading mixed active content "hxxp://fonts.googleapis.com/css?family=Ubuntu:400,400italic,700,700italic|Ubuntu+Mono:400,700"[Learn More] ubuntuforums.org
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=forumbits.css,forumhome.css,options.css
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=additional.css
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/ubuntulogo-o-small.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/navbit-home.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/collapse_40b.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-48.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-48.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_link-48.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/forum_stats.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/legend.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-16.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-16.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_link-16.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=bbcode.css,editor.css,popupmenu.css,reset-fonts.css,vbulletin.css,vbulletin-chrome.css,vbulletin-formcontrols.css,
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=forumbits.css,forumhome.css,options.css
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=additional.css
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/ubuntulogo-o-small.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/search.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/navbit-home.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/collapse_40b.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_link-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/forum_stats.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/misc/legend.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-16.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-16.png
[NoScript HTTPS] Image HTTP->HTTPS redirection to hxxps://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_link-16.png
[NoScript HTTPS] Forced URI hxxps://ubuntuforums.org/favicon.ico
- NoScript 2.9.0.7rc2 doesn't work - page resources aren't loaded. HTTPFox logs following loads:

Code: Select all

00:00:01.327 1.648 375 (7280) GET (Cache) text/html hxxps://ubuntuforums.org/
00:00:01.793 0.560 439 701 POST 200 application/ocsp-response hxxp://ocsp.digicert.com/
00:00:01.812 0.577 439 721 POST 200 application/ocsp-response hxxp://ocsp.digicert.com/
00:00:01.829 0.542 439 721 POST 200 application/ocsp-response hxxp://ocsp.digicert.com/
00:00:01.846 0.809 439 721 POST 200 application/ocsp-response hxxp://ocsp.digicert.com/
The Browser Console shows:

Code: Select all

TypeError: dataSections[u] is undefined HttpFoxService.js:2037:11
Blocked loading mixed active content "hxxp://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=bbcode.css,editor.css,popupmenu.css,reset-fonts.css,vbulletin.css,vbulletin-chrome.css,vbulletin-formcontrols.css,"[Learn More] ubuntuforums.org
Blocked loading mixed active content "hxxp://fonts.googleapis.com/css?family=Ubuntu:400,400italic,700,700italic|Ubuntu+Mono:400,700"[Learn More] ubuntuforums.org
Blocked loading mixed active content "hxxp://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=forumbits.css,forumhome.css,options.css"[Learn More] ubuntuforums.org
Blocked loading mixed active content "hxxp://ubuntuforums.org/css.php?styleid=117&langid=3&d=1456956033&td=ltr&sheet=additional.css"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/ubuntulogo-o-small.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/misc/navbit-home.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/buttons/collapse_40b.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_new-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/buttons/lastpost-right.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_link-48.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/subforum_old.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/misc/forum_stats.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/misc/legend.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_new-16.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_old-16.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/statusicon/forum_link-16.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/images/ubuntu-VB4/buttons/search.png"[Learn More] ubuntuforums.org
Blocked loading mixed display content "hxxp://ubuntuforums.org/favicon.ico"[Learn More] ContentLinkHandler.jsm:169:0

Additional resources:
I don't know what "Removed legacy redirection methods when redirectTo() is available in HTTP channels" in NoScript 2.9.0.7rc2 change history means, but if NoScript now relies on the new-ish Firefox's built-in HSTS redirection instead, the latter seems to have issues. See, e.g., https://bugzilla.mozilla.org/show_bug.cgi?id=838395 as well as the other bugs linked to in https://blog.mozilla.org/tanvi/2013/04/ ... /#Appendix.

Re: HTTPS enforcement broken for page resources

Posted: Wed Apr 06, 2016 12:47 pm
by barbaz
Thanks, that's what I thought. With NoScript 2.9.0.10rc1 if the browser does not block mixed content then HTTPFox shows BOTH the http requests (as pending) AND the https requests.
So NoScript's change of redirection methods mean it's doing its redirections later than it used to.

Re: HTTPS enforcement broken for page resources

Posted: Thu Apr 07, 2016 11:10 am
by Meee
On a side note, informaction.com is now all-HTTPS (including HSTS), so it can no longer be used to test this issue.

Re: HTTPS enforcement broken for page resources

Posted: Fri Jun 10, 2016 9:19 pm
by Meee
Just to bring this topic back to the first page of the topics list: Another domain (there aren't many, luckily) to test the issue: http://blog.linuxmint.com/

With ".linuxmint.com" configured for HTTPS enforcement.
All times are UTC
Page 1 of 2

Powered by phpBB® Forum Software © phpBB Limited