mahara-contributors team mailing list archive

[Aaron Wells <1463629@xxxxxxxxxxxxxxxxxx>]

*** This bug is a security vulnerability ***

Public security bug reported:

We've reached a point now where Firefox, Chrome, and IE will all
silently ignore an HTTP iframe on an HTTPS site.

Most iframe embed provides now provide an https or protocol-relative
iframe code, but occasionally a user will still enter an http iframe,
maybe from a site that isn't up to snuff yet, or copied from an older
page. This leads to the unsatisfactory user experience where they've
entered an iframe code, but the iframe doesn't show up at all.

We should change our safe iframe code so that it detects these HTTP
iframes and rewrites them to HTTPS or protocol-relative.

This is also a bit of a security issue (mixing HTTP content on an HTTPS
page) but since all modern browsers simply ban the unsafe iframe, it's a
low-priority security issue.

** Affects: mahara
     Importance: Low
     Assignee: Aaron Wells (u-aaronw)
         Status: In Progress

** Affects: mahara/1.10
     Importance: Low
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Affects: mahara/1.9
     Importance: Low
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Affects: mahara/15.04
     Importance: Low
     Assignee: Aaron Wells (u-aaronw)
         Status: Confirmed

** Affects: mahara/15.10
     Importance: Low
     Assignee: Aaron Wells (u-aaronw)
         Status: In Progress


** Tags: iframes

** Also affects: mahara/15.10
   Importance: Low
     Assignee: Aaron Wells (u-aaronw)
       Status: In Progress

** Also affects: mahara/1.10
   Importance: Undecided
       Status: New

** Also affects: mahara/15.04
   Importance: Undecided
       Status: New

** Also affects: mahara/1.9
   Importance: Undecided
       Status: New

** Changed in: mahara/15.04
       Status: New => Confirmed

** Changed in: mahara/1.9
       Status: New => Confirmed

** Changed in: mahara/1.10
       Status: New => Confirmed

** Changed in: mahara/15.04
   Importance: Undecided => Low

** Changed in: mahara/1.9
   Importance: Undecided => Low

** Changed in: mahara/1.10
   Importance: Undecided => Low

** Changed in: mahara/15.04
    Milestone: None => 15.04.2

** Changed in: mahara/1.9
    Milestone: None => 1.9.7

** Changed in: mahara/1.10
    Milestone: None => 1.10.5

** Changed in: mahara/15.04
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/1.9
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

** Changed in: mahara/1.10
     Assignee: (unassigned) => Aaron Wells (u-aaronw)

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1463629

Title:
  Prevent HTTP iframes on HTTPS sites

Status in Mahara ePortfolio:
  In Progress
Status in Mahara 1.10 series:
  Confirmed
Status in Mahara 1.9 series:
  Confirmed
Status in Mahara 15.04 series:
  Confirmed
Status in Mahara 15.10 series:
  In Progress

Bug description:
  We've reached a point now where Firefox, Chrome, and IE will all
  silently ignore an HTTP iframe on an HTTPS site.

  Most iframe embed provides now provide an https or protocol-relative
  iframe code, but occasionally a user will still enter an http iframe,
  maybe from a site that isn't up to snuff yet, or copied from an older
  page. This leads to the unsatisfactory user experience where they've
  entered an iframe code, but the iframe doesn't show up at all.

  We should change our safe iframe code so that it detects these HTTP
  iframes and rewrites them to HTTPS or protocol-relative.

  This is also a bit of a security issue (mixing HTTP content on an
  HTTPS page) but since all modern browsers simply ban the unsafe
  iframe, it's a low-priority security issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1463629/+subscriptions