Editor causes unauthenticated content warnings over SSL in FF 3.5

[jonathanc]

Firefox 3.5 is showing an unauthenticated content warning icon on https pages with editors. Such warnings look unprofessional and tend to scare users away.

The offending code is in ckeditor.js:

document.write(

'<script type="text/javascript" src="' + CKEDITOR.getUrl( '_source/core/loader.js' ) + '"></script>' );

[tobiasz.cudnik]

Problem exists in wysiwyg area plugin, which fills iframe using document.write & document.close. This causes FF to report unauthenticated content notice.

This seems very relevant to ​this gecko bug.

As for now i don't have idea how to deal with this. I'm testing different approaches to replace document.write.

[tobiasz.cudnik]

Patch binds WYSIWYG area creation to iframe's onload. Works for all browser without workaround for FF and Opera. Custom domain is supported, but needs to be set 2 times.

[fredck]

This approach would be good for several reasons. The most important thing is that we would not need to use a "bridge" to send the data to the iframe to be written, which makes the code much clearer.

Some things to be considered in the patch:

• The "CKEDITOR._[ 'cke_htmlToLoad_' + editor.name ]" trick is not anymore needed. We can pass "data" directly to the createIFrame function at line 507.

• The "onLoad" variable is not needed. The function can be passed directly to the on() call, and it's enough to call e.removeListener() to remove it at line 245.

• The isCustomDomain variable has been removed from line 220, but isCustomDomain() is called twice in the patch, so it makes sense leaving that line intact and simply used the variable.

In any case, these changes are too risky to be done at this stage. We can work on it as soon as we release the 3.0.

[tobiasz.cudnik]

I've implemented listed points and updated patch against newest trunk.

Bad news is that this doesn't seem to resolve unencrypted content notice on newest FF 3.5 (both win and linux).

[tobiasz.cudnik]

FF 3.5 warning comes from HC detection in _bootstrap.js L25. It's about getComputedStyle particularly. Wondering if there's other way to determine is HC active in a browser.

[tobiasz.cudnik]

Reason for this is use of "about:blank" hack as image source for browser other than IE 6. FF 3.5 parses this as "url(about:blank)" which is the reason for mixed-content SSL warning.

[fredck]

• Let's have a dedicated ticket for each thing at this point. Please open a new ticket for the wysiwyg data loading refactoring and provide a patch there.

• For this ticket instead, it looks like the HC check fix is the only needed thing. The problem of using spacer.gif is that it makes this image file being downloaded, and we must avoid it. If there is no other way for it, let's include CKEDITOR.env.https in the check.

[garry.yao]

Both issues ( document.write and about:blank ) are causing the 'partial authentication' error, so fixes to both places are needed.
Proposing of constructing image url with dataURI in supported browsers.

[fredck]

Please commit it into the 3.1.x branch. We need to well test it over all browsers before releasing.

[garry.yao]

Fixed with [4583] at 3.1.x branch.

[tkrah]

Updating from 3.1 to 3.2 this is an issue again - don't know if its the same "cause", but firefox does complain again about unsecure content.

[garry.yao]

We've already have #5359 opened for this, please keep update with that ticket.

[delete_my_account]

Replying to garry.yao:

We've already have #5359 opened for this, please keep update with that ticket.

I was a little bit puzzled, the correct ticket would be #5259