PDA

View Full Version : [OPEN] [CLOSED][3.0.0] data: BLANK_IMAGE_URL Cause FF3.5 to report insecure site



tercero12
12 Sep 2009, 7:55 AM
Ext version tested:

Ext 3.0.0


Adapter used:

ext


css used: N/A

Browser versions tested against:

IE8
FF3.5


Operating System:

WinXP Pro


Description:
In order to get a fully secure rating in most modern browsers, all components of a page must be served https. Without modifying Ext.BLANK_IMAGE_URL, it defaults to a data: protocol stream for IE8 and FF. FF does not consider the "data:" protocol to be a secure protocol and thus the website not have the pretty blue or green security bar in FF. IE8 behaves correctly in this regard.

Test Case:
Include ExtJS in any secure site and view it in FF. You should see a blue secure site bar next to the Address bar but you don't. Now modify Ext.BLANK_IMAGE_URL to serve from a URL starting with HTTPS:// . The blue bar should appear.

To see what the blue bar should look like, view https://www.amazon.com/ in Firefox.

The Fix:
Truly this is a bug in FF. But ExtJS can easily include code to work around this.

Change line 954 of ext-base-debug.js to fix this:



BLANK_IMAGE_URL : Ext.isIE6 || Ext.isIE7 || (Ext.isGecko && Ext.isSecure) ?
'http:/' + '/extjs.com/s.gif' :
'data:image/gif;base64,R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==',

mystix
12 Sep 2009, 8:33 PM
wouldn't that still not work?

as far as i can tell, http://extjs.com/s.gif isn't secure either. :-?

additionally, since you're supposed to override Ext.BLANK_IMAGE_URL in the first place (and Ext.SSL_SECURE_URL in the event that SSL is involved), wouldn't this already be mitigated?

Condor
13 Sep 2009, 8:01 AM
Yes, the default BLANK_IMAGE_URL doesn't work in a secured page on any browser! You are supposed to replace it with a reference to s.gif on your own host (in the same domain - so also https in this case).

ps. SSL_SECURE_URL has nothing to do with this. In Ext 1 you also needed to update this one, but Ext 2 and 3 use a script reference that works in both cases (secured/unsecured).

tercero12
14 Sep 2009, 4:57 AM
I confirm. This was an oversight on my end. You can disregard this request.