<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 12/17/14 12:16 PM, Mike Connor wrote:
<blockquote
cite="mid:CAKx4dk1tARD2kUhpiwfffS=zgyszZE4OHAJNGog7iQLhRqRxuQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div class="gmail_extra">
<div class="gmail_quote">On Wed, Dec 17, 2014 at 2:56 PM,
Tanvi Vyas <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:tvyas@mozilla.com" target="_blank">tvyas@mozilla.com</a>></span>
wrote:
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class=""> On
12/16/14 10:57 AM, Chris Peterson wrote:<br>
</span>
<blockquote type="cite"><span class=""></span><span
class="">That is a good question: why does the user
care about (passive) mixed content warnings? Is
there any user risk if the Firefox address bar
displays mixed content sites with the plain HTTP
icon (while still using HTTPS connections
underneath)?<br>
</span></blockquote>
We shouldn't tell the user they are visiting the site
over HTTP if they are in fact using HTTPS.</div>
</blockquote>
<div><br>
</div>
<div>Let's not overrotate on what we _think_ that icon
means. HTTP is an implementation detail. We can make
icons that mean "insecure" "encrypted" "validated" and act
accordingly.<br>
</div>
<div> </div>
</div>
</div>
</div>
</blockquote>
For some background and historical discussion on this topic, see
this bug - <a class="moz-txt-link-freetext" href="https://bugzilla.mozilla.org/show_bug.cgi?id=865352">https://bugzilla.mozilla.org/show_bug.cgi?id=865352</a><br>
<br>
<blockquote
cite="mid:CAKx4dk1tARD2kUhpiwfffS=zgyszZE4OHAJNGog7iQLhRqRxuQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">The page will have
access to cookies that are marked for secure origins
only, for example. Mixed passive content leaks
information about the page the user is visiting and
leaks cookies associated with the domain the passive
content is sourced from. Moreover, a MITM can change
what the page looks like (ex: replace an icon to reply
to a message with an icon to delete a message).<br>
</div>
</blockquote>
<div><br>
</div>
<div>We could (should?) change the cookie behaviour, i.e.
secure cookies aren't accessible to JS if the page isn't
fully secure.</div>
</div>
</div>
</div>
</blockquote>
The point about access to secure cookies was just to note that we
should indicate to the user that this is an "https" page and not
pretend it's "http" by removing the https from the url bar
(iconography aside). But I see that that is not what you were
proposing.<br>
<br>
The issue with cookies and mixed passive content doesn't have to do
with secure cookies. Assume a user visits <a class="moz-txt-link-freetext" href="https://finance.yahoo.com">https://finance.yahoo.com</a>
at an internet cafe. <a class="moz-txt-link-freetext" href="https://finance.yahoo.com">https://finance.yahoo.com</a> then makes a
subresource request to <a class="moz-txt-link-freetext" href="http://images.yahoo.com">http://images.yahoo.com</a>. The users
non-secure yahoo.com cookies are then sent in the clear. If the
authentication cookies are marked secure, this wouldn't be a
problem, but in many cases they are not marked secure and the HTTP
mixed content request leaks them.<br>
<br>
If there is mixed active content (ex: JS) on the page, the user has
to disable mixed content protection in order for the JS to load.
And in that case, yes the JS can access the secure cookies unless
they are marked "http-only" by the website.<br>
<br>
<br>
</body>
</html>