Security Blog

The latest news and insights from Google on security and safety on the Internet

Trying to end mixed scripting vulnerabilities

June 16, 2011
Share on Twitter Share on Facebook
Google

15 comments :

BananaSlug said...

I get the mixed display issue in Gmail all the time...
Does this mean the entire HTTPS session is shot?

June 16, 2011 at 4:05 PM
Motoma said...

Hey that's great; now if only AdSense would start serving over HTTPS.

June 16, 2011 at 4:11 PM
Erik said...

This happens a lot in Google Reader, too. Particularly when a feed embeds to a Youtube video.

June 16, 2011 at 4:31 PM
Chris Evans said...

@BananaSlug: (nice nick ;-) mixed display isn't too bad; the HTTPS session isn't automatically shot. Probably, an HTML e-mail had an img tag to some HTTP resource? Longer term, perhaps they can be proxied.

@Motoma: interesting, do you have a sample URL that only works over HTTP?

June 16, 2011 at 6:16 PM
fugufish said...

question regarding cross-browser origin errors:

will this affect iframed web apps that load the files from another website?

eg:

a facebook canvas game takes it's files from a server and displays it to the user.

normally, in the debug console this would occur (but it will still pass normally:

Unsafe JavaScript attempt to access frame with URL http://apps.facebook.com/app_name/ from frame with URL http://anothersite.com. Domains, protocols and ports must match.

June 16, 2011 at 9:12 PM
Melvin Ram said...

YouTube videos are a common culprit. Please add HTTPS support to YouTube before releasing this feature.

June 16, 2011 at 9:49 PM
abarth said...

@MevlinRam: Very true! I believe YouTube does now support HTTPS embedding.

June 17, 2011 at 4:26 PM
Anonymous said...

Isn't the answer to this, from the attacker's standpoint, to serve malicious scripts and other content from HTTPS sites? You can get CA-issued certs for free these days.

June 20, 2011 at 2:04 PM
Anonymous said...

And about the default-block of mixed scripting in Chrome 14, I frequently get mixed scripting errors in Reader and maybe even in GMail. What happens in those cases? Maybe they should be blocked. I wish it would be possible just to strip the scripts.

June 23, 2011 at 8:39 AM
Chris Evans said...

@Larry: There are some bug fixes underway in Reader. If you get the infobar in Gmail, put a comment here on how to reproduce it and it'll get fixed.

Regarding the attacker's standpoint, the attacker doesn't have any control over where the scripts are loaded from. So getting https://www.evilscripts.com/ won't help the attacker defeat mixed scripting blocks.

June 23, 2011 at 7:05 PM
Ericlaw said...

Is the reason that Chrome will continue to allow insecure subframes because AdSense does not support HTTPS and blocking insecure subframes would break Google's revenue stream?

June 24, 2011 at 2:13 PM
Yuhong Bao said...

EricLaw: It seems that AdSense is based on a script loaded from Google which do not support HTTPS:
https://www.google.com/adsense/support/bin/answer.py?answer=10528
Linking to this script using HTTP on a HTTPS site would be a mixed scripting attacks that would be blocked.
You can see this for example if you visit LKML.

July 12, 2011 at 11:13 PM
Yuhong Bao said...

Actually, the AdSense script URL seems to work via HTTPS now. But I can't really see any danger if there is no script inside the IFRAME.

July 12, 2011 at 11:23 PM
Unknown said...

為何婚后男人更“萎”了?
性功能障礙所致這是發生陽萎原因主要之一,約占陽萎總數威而鋼 犀利士哪裡買 壯陽藥品 壯陽藥 威而鋼哪裡買 犀利士專賣 威而鋼 威而鋼哪裡買 威而鋼專賣店 威而鋼藥局 情色貼圖的百分之九十左右,由性功能障礙引起的陽萎主要表現在:  1.精神因素所致。男子在情緒不佳,如悲痛、憂愁、恐懼、焦慮、抑郁或過度緊張時,大腦皮層的功能失調,造成性功能失調,引起陽萎。另外,缺乏性知識,對性生活缺乏正確認識,或受某種刺激,都會影響性功能,犀利士 犀利士 犀利士 犀利士 犀利士 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 威而鋼 犀利士 壯陽藥品去哪買 犀利士 犀利士 犀利士 犀利士 犀利士 威而鋼 犀利士以致引起陽萎。
  2.男子過度勞累或身體衰弱,就會引起大腦皮層活動障礙,從而影響性功能,出現陽萎。
  3、婚后房事過額,或婚前長期手淫,侵大腦皮層性中樞經常處于興奮狀態,從而引起性中樞疲勞而轉入抑制狀態,出現陽萎。
  4.長期酗酒、吸煙或經常服用鎮靜藥,使大腦皮壯陽藥 威而鋼 壯陽藥 犀利士 犀利士 犀利士專賣 犀利士哪裡買 犀利士5mg價格 壯陽藥品 犀利士專賣 威而鋼 壯陽藥 威而鋼專賣店 犀利士哪裡買層處于抑制狀態,導致性功能減弱,從而出現陽萎。
  吃壯陽菜應審“時”度“勢”:所謂度勢,即必須根據自身具體情況而定。個人由于年齡、體質等方面的差異,在食療進補時也會出現不同。壯陽藥 壯陽藥品 犀利士 威而鋼 威而鋼哪裡買 犀利士 犀利士 壯陽藥品 壯陽藥比如,年紀大的人不宜過補,燥熱體質的人不宜在夏季食用過多食補物品。如果是對某些食物有過敏性反應的就更應該注意了。

January 23, 2014 at 4:11 AM
Unknown said...

What if the google.com(https://www.google.com.ph/?gfe_rd=cr&ei=ZCGIU8jhFeOJ8Qenk4Fg)
is also crossed-out in red?

How is it? Thanks :)

May 30, 2014 at 2:13 AM

Post a Comment

  

Labels


  • #sharethemicincyber
  • #supplychain #security #opensource
  • android
  • android security
  • android tr
  • app security
  • big data
  • biometrics
  • blackhat
  • C++
  • chrome
  • chrome enterprise
  • chrome security
  • connected devices
  • CTF
  • diversity
  • encryption
  • federated learning
  • fuzzing
  • Gboard
  • google play
  • google play protect
  • hacking
  • interoperability
  • iot security
  • kubernetes
  • linux kernel
  • memory safety
  • Open Source
  • pha family highlights
  • pixel
  • privacy
  • private compute core
  • Rowhammer
  • rust
  • Security
  • security rewards program
  • sigstore
  • spyware
  • supply chain
  • targeted spyware
  • tensor
  • Titan M2
  • VDP
  • vulnerabilities
  • workshop


Archive


  •     2025
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2024
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2023
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2022
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2021
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2020
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2019
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2018
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2017
    • Dec
    • Nov
    • Oct
    • Sep
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2016
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2015
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2014
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • Apr
    • Mar
    • Feb
    • Jan
  •     2013
    • Dec
    • Nov
    • Oct
    • Aug
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2012
    • Dec
    • Sep
    • Aug
    • Jun
    • May
    • Apr
    • Mar
    • Feb
    • Jan
  •     2011
    • Dec
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • Jun
    • May
    • Apr
    • Mar
    • Feb
  •     2010
    • Nov
    • Oct
    • Sep
    • Aug
    • Jul
    • May
    • Apr
    • Mar
  •     2009
    • Nov
    • Oct
    • Aug
    • Jul
    • Jun
    • Mar
  •     2008
    • Dec
    • Nov
    • Oct
    • Aug
    • Jul
    • May
    • Feb
  •     2007
    • Nov
    • Oct
    • Sep
    • Jul
    • Jun
    • May

Feed

Follow
Give us feedback in our Product Forums.
  • Google
  • Privacy
  • Terms