webcompat / web-bugs

A place to report bugs on websites.
https://webcompat.com
Mozilla Public License 2.0
746 stars 66 forks source link

www.asus.com - Images don't load #108102

Open webcompat-bot opened 2 years ago

webcompat-bot commented 2 years ago

URL: https://www.asus.com/support/FAQ/1037906/

Browser / Version: Firefox 103.0 Operating System: Windows 10 Tested Another Browser: Yes Edge

Problem type: Design is broken Description: Images not loaded Steps to Reproduce: images are not loading in firefox, but edge, due CSP restrictions. seems that asus broke the design without purpose - loading http images in https page with csp.

View the screenshot Screenshot
Browser Configuration
  • None

From webcompat.com with ❤️

softvision-oana-arbuzov commented 2 years ago

Thanks for the report, I was able to reproduce the issue. image

Affected area:

<img src="http://kmpic.asus.com/images/2018/11/01/02e9ffac-4ffb-4eee-b72e-9ba685fa8516.jpg" style="width: 772px; height: 689px;" width="893" height="725">

Note:

  1. The issue is not reproducible on Chrome.
  2. The issue is reprodcible on Firefox regardless of the ETP status.

Tested with: Browser / Version: Firefox Nightly 105.0a1 (2022-07-27), Firefox Release 103.0 Operating System: Windows 10 Pro

Moving to Needsdiagnosis for further investigation.

[qa_30/2022]

cadeyrn commented 2 years ago

Observations:

If you manually change the protocol of the images from http:// to https:// (either via devtools or a script) the images appear.

If you open one of the images with http:// in a new tab you only see a white page with the HTTP status 502 Connection reset by peer.

Chrome also shows a 502 error page if you directly open the image. But Chrome has no issues with showing these images when they are used as an <img>.

wisniewskit commented 2 years ago

It's unclear to me why the images are being blocked given their CSP includes kmpic.asus.com as a default-src, and has no img-src. As such I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1787576 to hopefully get some insight.

wisniewskit commented 2 years ago

Based on an early look in the bug I reported above, this is technically the site's error per the CSP standard, and Chrome seems to maybe do something to work around it. The site should probably have http://*.asus.com in their CSP, as without the http: the browser isn't supposed to assume to allow mixed content like this.

webcompat-bot commented 2 years ago

Generate outreach template