search

arkenfox / user.js

Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
MIT License
9.98k stars 511 forks source link

security.mixed_content.upgrade_display_content (round 2) #754

Closed claustromaniac closed 5 years ago

claustromaniac commented 5 years ago

TL;DR: I'm proposing to add the pref in the title, in addition to the 3 prefs that we have for controlling mixed content:

/** MIXED CONTENT ***/
/* 1240: disable insecure active content on https pages
 * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
/* 1241: disable insecure passive content (such as images) on https pages [SETUP-WEB] ***/
user_pref("security.mixed_content.block_display_content", true);
/* 1243: block unencrypted requests from Flash on encrypted pages to mitigate MitM attacks [FF59+]
 * [1] https://bugzilla.mozilla.org/1190623 ***/
user_pref("security.mixed_content.block_object_subrequest", true);

For these STR, I will refer to 1240 as blockActive, 1241 as blockDisplay, 1243 as blockPlugin, and security.mixed_content.upgrade_display_content as upgradeDisplay.

  1. Go to about:config

  2. Set blockActive, blockDisplay, and blockPlugin to false

  3. In a new tab, go to https://www.bennish.net/mixed-content.html (which would be a nice addition to the wiki BTW)

  4. Without leaving that tab, go to devtools, network tab (Ctrl+Shift+E) and reload the page. You should see insecure requests being made (hover over the padlocks in the list of requests for more info)

  5. Open the scratchpad, paste the following code and run it:

    (() => {
const ocat = document.createElement('img');
ocat.setAttribute('src', 'http://github.githubassets.com/images/spinners/octocat-spinner-128.gif');
ocat.textContent = '[octocat spinner]';
document.body.appendChild(ocat);
})();

    The code simply injects an <img> HTML element that triggers a request to github.githubassets.com over HTTP. The octocat gif should appear at the very bottom of the page.

  6. check the devtools to confirm the octocat image was loaded over http

  7. set upgradeDisplay to true, reload the page and re-run the scratchpad script

  8. check the devtools, notice the green padlock for that request. You can also click the request in the list to confirm (on the right-hand panel) the target url is https://github.githubassets... Also, notice how upgradeDisplay prevented the other images in that site from loading, because they can't be upgraded to HTTPS. (conclusion 1: when the content can't be loaded over HTTPS, upgradeDisplay does not load it over HTTP)

  9. set blockDisplay to true and reload, re-run script

  10. same result as in step 8 (conclusion 2: upgradeDisplay has higher priority than blockDisplay, because the octocat gif was loaded without a hitch over HTTPS)

  11. test the remaining different combinations of prefs (with blockActive and blockPlugin) to confirm they don't conflict with each other (conclusion 3: there don't seem to be any issues with the other prefs)

  12. give me some catnip

Correct me if I'm wrong, but it seems the rationale for not adding this pref after the discussion in #367 was that:

  1. we can live without mixed display content
  2. Mozilla devs must have some reason for leaving it disabled by default

My counter-arguments:

  1. we can live without beer and catnip too, yet ... you know
  2. maybe they just don't want to break stuff by default? would make sense considering they went as far as to give us 2 different prefs for controlling mixed active content (super risky) and mixed display content (not as risky) separately. Presumably, that's also the reason blockDisplay is false by default. There might be other reasons, but that sounds like the most likely explanation to me.

I think this at least deserves some more consideration, and maybe investigating some more. I didn't start digging the source code yet (time constraints as always), but I think we can at the very least add this inactive as a FYI.

Anyway, I know :jeans: wants as few issues open as possible, so feel free to close this whenever you want.

claustromaniac commented 4 years ago

Just FYI, 1442990 was set to RESOLVED WONTFIX, because upgrading mixed passive content is going to be the default behavior as per the Mixed Content Level 2 spec.

Thorin-Oakenpants commented 4 years ago

Well, that's better than nothing, but by the time it gets implemented (I'm just guessing here), HTTP will probably be deprecated (or near enough with scary NOT SECURE warnings in the urlbar if any content is insecure: i.e most of the top sites will have changed)

claustromaniac commented 4 years ago

Personally, I've never seen the relevance of the "top sites". Most of those already support HTTPS by default, and that won't change.

The Internet is so big that I don't need to use any of those sites, and I'm sure I'm not alone on that (thank gods!)

Thorin-Oakenpants commented 4 years ago

True ... and that's only the surface web. But for most people I doubt they stray outside the top 1M or whatever except for their local news or shops maybe.

Meanwhile ... I found an excellent image for POOP .. https://thechive.files.wordpress.com/2019/10/0e429b7be7ed04ef0d4706a8e5137ec0.jpg 🤣

claustromaniac commented 4 years ago

But for most people...

Right, that change won't be very meaningful for them, which seems to imply that the W3C is trying to improve the Internet for people like me too! (thanks W3C!)

I found an excellent image for POOP

Cool. Does it have a license? Can I borrow it for my page? (assuming I ever manage to get back to working on that thing!).