Nail-Tinted Glasses

Security in IE6

The automation team noticed the curious incident of the dog in the night time today. C & G, you go, sisters.

But the big surprise is that I can't find an obvious link on the Microsoft website for those that think they've found yet another security issue. Given their track record, I'm disappointed it's not their splash page.

In any case, it doesn't appear that the "Display Mixed Content" prompt appears when it should, if a secure page retrieves a stylesheet via http.

A what what what? Here's an example. There you'll find links to two pages, which are almost identical - a LINK element for a stylesheet, some explanatory text and an IMG element.

The difference is the protocol specified in the url for the stylesheet.

Https Stylesheet uses the https protocol. The browser loads the html (retrieving it via HTTPS), then loads the stylesheet (HTTPS), renders the html, then prompts. If you accept the content, the image is loaded (HTTP).

Http Stylesheet uses http, and here's where the trouble is. The browser loads the html (HTTPS), then loads the stylesheet (HTTP), renders the html, then the image (HTTP). Look Ma, no prompts.

Now, IE 5.5 displays prompts in both cases [disclaimer, I was using slightly different examples in the labs today]. In the first case, the behavior is identical. In the second case, the expected prompt appears before the page begins to render - you can see the empty background, and the server logs indicate that the browser has paused in the right place - before obtaining the stylesheet.

Is this behavior exploitable? No more so than the behavior I expected. My attempts to find other reports of this issue turned up legions of "I'm tired of being prompted, how do I make that box go away" queries.

January 23, 2003 10:43 PM | TrackBack