https://mixed-script.badssl.com/

[gamer191]

Firefox fails this test, but looking at the network tab, it appears that the script (https://mixed-script.badssl.com/nonsecure.js) has been accidentally upgraded to https

[christhompson]

I think Firefox is currently experimenting with upgrading mixed content. I'm not sure what the state of that is though, but it's possible that caused upgrades to occur. What behavior are you seeing on BadSSL that seems wrong?

[gamer191]

What behavior are you seeing on BadSSL that seems wrong?

Firefox gets a red screen, with the text "This page has run active mixed content (a script from an insecure URL)", despite never making a network request to a http site.

[christhompson]

My best guess (without details about your Firefox installation and any active experiments) is that Firefox is auto-upgrading blockable mixed content -- IIRC this was the behavior of their experimental implementation at least at some point in the past (https://bugzilla.mozilla.org/show_bug.cgi?id=1672106#c7).

If the script loads at all, the test page will turn to the "error" state (https://mixed-script.badssl.com/nonsecure.js). If Firefox is upgrading the script to HTTPS then this is technically in violation of the Mixed Content Level 2 spec (https://w3c.github.io/webappsec-mixed-content/level2.html#category-upgradeable).

I think the test case is working as expected here, but it might be possible to make it a bit more robust in the face of upgrades if the JS queries how it was loaded instead of unconditionally -- maybe using document.currentScript.src? I don't know if that will consistently get the rewritten URL or if it is set based on the source document only. Happy to accept a PR that adds that, but it feels low priority as this is unexpected non-spec-compliant behavior.

[Jyoticharan]

please assign me the issue