[asterisk-bugs] [Mantis 0016214]: Insecure Google CSS files making Mantis produce mixed content warning
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Nov 10 08:25:42 CST 2009
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=16214
======================================================================
Reported By: davidw
Assigned To:
======================================================================
Project: Mantis
Issue ID: 16214
Category: General
Reproducibility: always
Severity: minor
Priority: normal
Status: acknowledged
JIRA:
======================================================================
Date Submitted: 2009-11-10 06:19 CST
Last Modified: 2009-11-10 08:25 CST
======================================================================
Summary: Insecure Google CSS files making Mantis produce
mixed content warning
Description:
Since about a week ago, Mantis has been producing mixed content warnings
(HTTP on HTTPS page), on explicit page loads and on auto refreshes. It is
not possible to suppress these in normal browsers without compromising
security globally (although many people will have disabled this warning).
It looks like this is the result of including two CSS files from
http://www.google.com/.
======================================================================
----------------------------------------------------------------------
(0113537) davidw (reporter) - 2009-11-10 08:25
https://issues.asterisk.org/view.php?id=16214#c113537
----------------------------------------------------------------------
Sort of. It is the style sheet for the Google control that is being
fetched by HTTP and triggering the warning; that happens regardless of
whether you use the control. Style sheets can be used to deceive and to
leak information, but the real problem here is that one cannot disable the
warning for just one site, so it encourages turning off a browser safety
feature.
Issue History
Date Modified Username Field Change
======================================================================
2009-11-10 08:25 davidw Note Added: 0113537
======================================================================
More information about the asterisk-bugs
mailing list