Closed
Bug 182179
Opened 22 years ago
Closed 19 years ago
False unencrypted submit warning when action is javascript submitting a different form
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: spamtrap, Assigned: dveditz)
References
()
Details
(Keywords: fixed1.8)
Attachments
(1 file)
3.16 KB,
patch
|
dveditz
:
review+
darin.moz
:
superreview+
asa
:
approval1.8b4+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6 Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6 AFAIK the form in question is secure. I don't get warnings with other browsers. Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: Unencrypted warning. Expected Results: no warning
Rob, your bug report is incomplete. Please supply the steps to reproduce it.
To reproduce, 1 go to the supplied URL. 2 type in anything to the username and password fields 3 hit return or the submmit button.
Comment 3•22 years ago
|
||
Confirmed using 1217. URL provided was incorrect. Be sure to have the 3 options in Prefs-Security checked/on. Open that page https://www.ebank.hsbc.com.au/ Enter a name/pw (anything) Click on the red LogOn button just below the field. A sheet appears "send unencrypted" data. The Status bar shows a Blue Lock on the right.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•22 years ago
|
||
I think this happens because the submit action of the form is a "javascript:formSubmit();" URL.
Comment 5•22 years ago
|
||
This is a bug in Mozilla too. I haven't seen it before. Probably form submission but could be PSM's dialogs.
Component: General → Form Submission
OS: MacOS X → All
Product: Chimera → Browser
Hardware: Macintosh → All
Version: unspecified → Trunk
Comment 6•22 years ago
|
||
You are using a build based on Mozilla 1.0.1, which does not contain the fix from bug 151250. *** This bug has been marked as a duplicate of 151250 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Comment 7•22 years ago
|
||
kaie, I am seeing this in WinXP 2003012908. But that bug does not seem to have regressed. Rob, the page that you submit to is actually https, correct?
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Comment 8•22 years ago
|
||
I can't test with that page, something is wrong. When I connect with recent versions of Netscape/Mozilla, I get an error message about an unsupported browser. But even if I connect with Communicator 4.x, which they say they support, I get the same error page...
This bug occurs on the same site as the evangelism bug I submitted <http://bugzilla.mozilla.org/show_bug.cgi?id=205631>. When accessing <https://www.ebank.hsbc.com.au/> with mozilla-on-gnu-linux, a page comes up asking you to use a supported browser (by the way, the list of "supported" browsers is incorrect - Communicator 4.79 doesn't work on linux or windows2000 for this site). When accessing with mozilla-on-windows2000, the normal login page appears, but when the "login" button is pressed a warning comes up about unencrypted information being sent over the https connection. I have no access to mozilla on other OS, so I don't know which of the two problems occurs with them! I think most of this is hsbc.com.au's fault, but when I emailed them they replied "linux is not a supported OS". That is why I submitted this as an evangelism bug with mozilla-on-gnu-linux, but the "submitting unencrypted" message on W2K is a little disturbing. Hope this helps.
Assignee | ||
Comment 10•20 years ago
|
||
*** Bug 277293 has been marked as a duplicate of this bug. ***
Assignee | ||
Comment 11•20 years ago
|
||
Not sure what site bug 277293 represents. Also broken is https://www.midamericabank.com/log_into.cfm doing the same action="javascript:validate()" submitting a hidden form kind of thing.
Assignee: saari → kaie
Status: REOPENED → NEW
Component: HTML: Form Submission → Client Library
Flags: blocking1.8b?
Flags: blocking-aviary1.1?
Product: Core → PSM
QA Contact: winnie
Summary: When you complete the form, it warns that the username/password will be sent unencrypted - shouldn't ? → False unencrypted submit warning when action is javascript submitting a different form
Whiteboard: [sg:nse]
Version: Trunk → unspecified
Comment 12•20 years ago
|
||
(In reply to comment #11) Daniel, bug 277293 is a general one. As suggested on comment #4, this happens for me in every page I got with "javascript:formSubmit();" (you can use any name you want on instead of the formSubmit()). I can send you the source for a simple test if you wish.
Updated•20 years ago
|
Flags: blocking1.8b?
Flags: blocking1.8b+
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1+
Comment 13•19 years ago
|
||
Dan, or Kai, are you going to be able to look into this for beta2 and Firefox 1.1? Moving blocker status to beta2 with fingers crossed.
Flags: blocking1.8b+ → blocking1.8b2+
Comment 16•19 years ago
|
||
I've just run into this, trying to create a page that constructs a URL based on the values input in a form and then "goes to" that URL. The form's action is "javascript:goThere()", which is my function defined in the header of the page. When accessed through https, firefox warns on submit that the data is being sent through an unencrypted connection. It works fine in IE and Safari.
Comment 17•19 years ago
|
||
Here's a simple patch that checks the action URL to see if it's JavaScript, and allows it to pass if so. I'm not sure if this is the best answer - eg. are there other non-connection-based form actions that should pass through also? Who needs to review this?
Updated•19 years ago
|
Attachment #176692 -
Flags: review?(dveditz)
Assignee | ||
Comment 18•19 years ago
|
||
*** Bug 288404 has been marked as a duplicate of this bug. ***
Comment 20•19 years ago
|
||
WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050609 Firefox/1.0+
Comment 21•19 years ago
|
||
moving to beta4
Flags: blocking1.8b4+
Flags: blocking1.8b3-
Flags: blocking1.8b3+
Updated•19 years ago
|
Whiteboard: [sg:nse] → [sg:nse] [blocking1.8b4? has patch, needs review? (dveditz)]
Assignee | ||
Comment 22•19 years ago
|
||
Comment on attachment 176692 [details] [diff] [review] Patch to allow posting to JavaScript form action URLS without security warning r=dveditz
Attachment #176692 -
Flags: superreview?(darin)
Attachment #176692 -
Flags: review?(dveditz)
Attachment #176692 -
Flags: review+
Comment 23•19 years ago
|
||
Comment on attachment 176692 [details] [diff] [review] Patch to allow posting to JavaScript form action URLS without security warning >Index: nsSecureBrowserUIImpl.cpp >+nsresult >+nsSecureBrowserUIImpl::IsURLJavaScript(nsIURI* aURL, PRBool* value) >+{ >+ *value = PR_FALSE; >+ >+ if (!aURL) >+ return NS_OK; >+ >+ return aURL->SchemeIs("javascript", value); >+} This code appears to be mixing tabs and spaces. It is generally preferrable to replace all tabs with spaces for readability. >+ // Action is a JavaScript call, not an actual post. That's okay too. >+ if (actionJavaScript) { >+ return NS_OK; >+ } What about data: URLs? sr=darin
Attachment #176692 -
Flags: superreview?(darin) → superreview+
Assignee | ||
Comment 24•19 years ago
|
||
> What about data: URLs?
They don't make a lot of sense as an action -- they're not going to get the post
data, and they replace the current document and won't have access to the form
itself. No one's mentioned any problems with data:, but javascript: is fairly
common.
javascript: could be used to pass unencrypted data back, but if the page is
malicious it could do that anyway apart from the submit action. Legit cases use
the javascript to clean the data and populate a hidden form and then submit that
-- and that hidden form is going to get checked.
Assignee | ||
Updated•19 years ago
|
Attachment #176692 -
Flags: approval1.8b4?
Comment 25•19 years ago
|
||
See also: http://whatwg.org/specs/web-forms/current-work/#for-javascript http://whatwg.org/specs/web-forms/current-work/#for-data
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:nse] [blocking1.8b4? has patch, needs review? (dveditz)] → [sg:nse] [needs approval]
Updated•19 years ago
|
Attachment #176692 -
Flags: approval1.8b4? → approval1.8b4+
Assignee | ||
Comment 26•19 years ago
|
||
(In reply to comment #25) > See also: > http://whatwg.org/specs/web-forms/current-work/#for-javascript > http://whatwg.org/specs/web-forms/current-work/#for-data That's an interesting use for data:, and you could file an RFE on it. But a page under development is probably not on an SSL server, and even if it is it's not going to kill the developer to put up with some unencrypted form warnings.
Comment 27•19 years ago
|
||
Oh I wasn't saying that it should affect this, just letting you know about it. :-)
Assignee | ||
Comment 28•19 years ago
|
||
Checking in nsSecureBrowserUIImpl.cpp; /cvsroot/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.cpp,v <-- nsSecureBrowserUIImpl.cpp new revision: 1.47; previous revision: 1.46 done Checking in nsSecureBrowserUIImpl.h; /cvsroot/mozilla/security/manager/boot/src/nsSecureBrowserUIImpl.h,v <-- nsSecureBrowserUIImpl.h new revision: 1.17; previous revision: 1.16 done
Status: NEW → RESOLVED
Closed: 22 years ago → 19 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:nse] [needs approval]
Assignee | ||
Comment 29•19 years ago
|
||
Although fixed before the branch, the blocking1.8b5+ flag is causing this to show on queries without the fixed1.8 keyword. Should it regress I don't want to lose the blocking flag and can no longer set the b4+ flag.
Keywords: fixed1.8
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•