Mahara

Prevent HTTP iframes on HTTPS sites

Bug #1463629 reported by Aaron Wells on 2015-06-10

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	Low	Aaron Wells	Mahara 15.10.0
1.10	Fix Released	Low	Aaron Wells	Mahara 1.10.5
1.9	Fix Released	Low	Aaron Wells	Mahara 1.9.7
15.04	Fix Released	Low	Aaron Wells	Mahara 15.04.2

Bug Description

We've reached a point now where Firefox, Chrome, and IE will all silently ignore an HTTP iframe on an HTTPS site.

Most iframe embed provides now provide an https or protocol-relative iframe code, but occasionally a user will still enter an http iframe, maybe from a site that isn't up to snuff yet, or copied from an older page. This leads to the unsatisfactory user experience where they've entered an iframe code, but the iframe doesn't show up at all.

We should change our safe iframe code so that it detects these HTTP iframes and rewrites them to HTTPS or protocol-relative.

This is also a bit of a security issue (mixing HTTP content on an HTTPS page) but since all modern browsers simply ban the unsafe iframe, it's a low-priority security issue.

Tags:

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-06-10: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/4827

Revision history for this message

Aaron Wells (u-aaronw) wrote on 2015-06-10:

Some additional steps to consider:

1. An upgrade script to retroactively find HTTP iframes and rewrite them to HTTPS. Full-database text find/replace scripts like that are often quite slow... although I suppose we could limit it by looking only for fields with the word "iframe" in them.

2. Updating the blocktype/externalvideo media sources so that they do this behavior as well. Currently only the Youtube mediasource rewrites the protocol of iframes.

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07: A change has been merged

Reviewed: https://reviews.mahara.org/4827
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/efe949976ef5a2ace679085a1151da7c392a24d0
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit efe949976ef5a2ace679085a1151da7c392a24d0
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07: A patch has been submitted for review

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/4922

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07:

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4923

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07:

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4924

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07: A change has been merged

Reviewed: https://reviews.mahara.org/4924
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/7a7f066d81b4336b61b653eb189ad0c8095c1580
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit 7a7f066d81b4336b61b653eb189ad0c8095c1580
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07:

Reviewed: https://reviews.mahara.org/4923
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/7c8f804fde55717c884463bcf5e7972ab42cba57
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 7c8f804fde55717c884463bcf5e7972ab42cba57
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2015-07-07:

Reviewed: https://reviews.mahara.org/4922
Committed: https://git.nzoss.org.nz/mahara/mahara/commit/f19b1e30aa1db3753f202ea69e79e89f535e1031
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit f19b1e30aa1db3753f202ea69e79e89f535e1031
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72
(cherry picked from commit efe949976ef5a2ace679085a1151da7c392a24d0)

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-08-17: A patch has been submitted for review

#10

Patch for "master" branch: https://reviews.mahara.org/6854

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2016-08-19: A change has been merged

#11

Reviewed: https://reviews.mahara.org/6854
Committed: https://git.mahara.org/mahara/mahara/commit/f11abcae0b426b1eb5023f8fc21b0f9a1a9dcb4b
Submitter: Aaron Wells (<email address hidden>)
Branch: master

commit f11abcae0b426b1eb5023f8fc21b0f9a1a9dcb4b
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Prevent HTTP iframes on an HTTPS site

Bug 1463629

behatnotneeded

Change-Id: I1d9e95b58579ed3309b8ccefcb444563b23120c5

Kristina Hoeppner (kris-hoeppner) on 2016-10-12

no longer affects:

mahara/15.10

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2018-03-27: A patch has been submitted for review

#12

Patch for "master" branch: https://reviews.mahara.org/8740

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2018-04-02: A change has been merged

#13

Reviewed: https://reviews.mahara.org/8740
Committed: https://git.mahara.org/mahara/mahara/commit/7175f91e1295b7db52bc1302fda3c08305dc113d
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 7175f91e1295b7db52bc1302fda3c08305dc113d
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Bug 1759367: Cherry-pick for Prevent HTTP iframes on an HTTPS site

Cherry pick of Bug 1463629 for the upgrade of html purifier to 4.10.0

behatnotneeded

Change-Id: I0c89f64f567d55b8a9ffd3772bdc23563103a93d

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2018-04-02: A patch has been submitted for review

#14

Patch for "18.04_STABLE" branch: https://reviews.mahara.org/8762

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2018-04-02: A change has been merged

#15

Reviewed: https://reviews.mahara.org/8762
Committed: https://git.mahara.org/mahara/mahara/commit/2cb03d04c810a5963c81324267259096154a0d79
Submitter: Robert Lyon (<email address hidden>)
Branch: 18.04_STABLE

commit 2cb03d04c810a5963c81324267259096154a0d79
Author: Aaron Wells <email address hidden>
Date: Wed Jun 10 12:33:49 2015 +1200

Bug 1759367: Cherry-pick for Prevent HTTP iframes on an HTTPS site

Cherry pick of Bug 1463629 for the upgrade of html purifier to 4.10.0

behatnotneeded

Change-Id: I0c89f64f567d55b8a9ffd3772bdc23563103a93d

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.