Last modified: 2012-03-14 22:29:34 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T20496, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 18496 - Non-secure logos on secure pages
Non-secure logos on secure pages
Status: RESOLVED FIXED
Product: Wikimedia
Classification: Unclassified
SSL related (Other open bugs)
unspecified
All All
: Low normal with 2 votes (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on: 16822
Blocks: ssl
  Show dependency treegraph
 
Reported: 2009-04-18 01:36 UTC by John Mark Vandenberg
Modified: 2012-03-14 22:29 UTC (History)
8 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description John Mark Vandenberg 2009-04-18 01:36:26 UTC 
The logos are being loaded via http://upload.wikimedia.org using CSS such as

<div class="portlet" id="p-logo">
		<a style="background-image: url(http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png);" href="/wikipedia/en/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"></a>
	</div>

When accessed via the secure.wikimedia.org site with Internet Explorer 7, it results in a blocking warning "This page contains both secure and nonsecure items", which needs to be turned off.

Turning off this warning involves going to Tools -> Internet Options -> Security tab -> Internet zone -> Custom level -> Miscellaneous section -> "Display mixed content" = Enabled.
Comment 1 Brion Vibber 2009-07-13 20:47:59 UTC 
Once SSL interface for upload is available (bug 16822), we can either use protocol-relative links or slip in a check in secure.php config to use https:// for these.
Comment 2 Nico R. 2010-03-02 08:09:30 UTC 
This bug does not only affect Internet Explorer 7, but all web browsers which automatically load images. Some of them do not even display warnings, but transmit insecure content.

Updating summary accordingly.
Comment 3 Brian Jason Drake 2010-12-30 12:37:27 UTC 
(In reply to comment #0)
> The logos are being loaded via http://upload.wikimedia.org using CSS such as
> 
> <div class="portlet" id="p-logo">
>         <a style="background-image:
> url(http://upload.wikimedia.org/wikipedia/en/b/bc/Wiki.png);"
> href="/wikipedia/en/wiki/Main_Page" title="Visit the main page [z]"
> accesskey="z"></a>
>     </div>

They are? Not via a CSS stylesheet?

> When accessed via the secure.wikimedia.org site with Internet Explorer 7, it
> results in a blocking warning "This page contains both secure and nonsecure
> items", which needs to be turned off.
> 
> Turning off this warning involves going to Tools -> Internet Options ->
> Security tab -> Internet zone -> Custom level -> Miscellaneous section ->
> "Display mixed content" = Enabled.

I don’t understand what you mean by a “blocking warning” needing “to be turned off”. AFAIK, Internet Explorer 7 and higher also provide a Prompt option, allowing you to keep the warning and still view the items loaded over a non-secure connection.
Comment 4 Rob Halsell 2011-04-06 17:07:17 UTC 
We are currently in the process of planning a restructure on how we handle secure content.  This will be addressed in that update.
Comment 5 MZMcBride 2012-03-13 21:57:24 UTC 
John: Is this bug still unresolved?
Comment 6 John Mark Vandenberg 2012-03-14 20:53:47 UTC 
I dont have IE7 handy, and I no longer use secure.wm.org so I no longer care.  I cant reproduce this bug in IE8.
Comment 7 MZMcBride 2012-03-14 22:29:34 UTC 
(In reply to comment #6)
> I dont have IE7 handy, and I no longer use secure.wm.org so I no longer care. 
> I cant reproduce this bug in IE8.

Fair enough. I'm going to mark this bug as resolved (as it appears to be).

Anyone is free to re-open the bug if there's still a demonstrable issue.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links