Closed Bug 260988 Opened 20 years ago Closed 12 years ago

favicon still loaded after canceling site load due to userpass warning

Categories

(Firefox :: General, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jmd, Unassigned)

Details

Firefox 0.10, filing under "Browser" based on bug 122445. Attempt to load jmd@pobox.com as a URL. You will receive a warning that you are about to load the site "pobox.com" as the user "jmd". Click No, that it's not OK. pobox.com will not be loaded, however, the favicon will be downloaded and set as the icon for the tab (though it doesn't seem to be set in the URL bar itself.)
The defensive auth dialogs came from bug 232567, not bug 122445
Assignee: dveditz → darin
Component: Security: General → Networking: HTTP
There are are several favicon bugs like this one, and opinion is divided (to say the least) on how this should be handled. FWIW, the favicon set up seems to me to be fundamentally broken (it seems to work at the server level, and as you say can slip past authorization), so I don't really see how it can be completely fixed; and though I agree with you that 'Cancel' should mean 'Cancel' and 'No' should mean 'No' I don't really feel that there is a real complaint if the browser displays the bits if it has been able to acquire them.
> I don't really feel that there is a real complaint if the browser displays > the bits if it has been able to acquire them. I think even that qualifies as a bug, though admittedly minor, assuming there are no security concerns (though you might make a case for privacy concerns--clicking "No" still causes traffic to hit the potential phishing site, revealing time/ip/os/browser to the attackers). After clicking "No", you will have the previous page displayed in the browser (say, this bugzilla page, but with the icon of the site you canceled the load of (say, the bizarre heart logo of pobox.com) next to its tab. It's the mismatch that's the issue. Again, a minor one, assuming the security and privacy implications are judged to be not a concern.
I wholeheartedly agree with comment 3 - I am just doubtful of my ability to convince anyone else of this. There are roughly 94 favicon bugs in total, and most of these ones have something in common with this bug: 109959 110421 113430 116801 118448 120304 121518 133755 162893 163109 186532 238348 240795 242512 250458 252540 253045 255085 255188 258461
Favicons are downloaded and set completely in the front end code; HTTP has nothing to do with it.
Assignee: darin → firefox
Component: Networking: HTTP → General
Product: Browser → Firefox
QA Contact: firefox.general
This looks to me like its a dupe of bug 258461.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060509 Minefield/3.0a1 This bug is well over a year old. It looks like a special case of Bug 258461 "Canceling page load results in incorrect favicon displaying on the tab bar", but I suspect that the reporter wanted a fix specifically for the phishing implications of this one, even if the wider work for that bug took longer. I suspect that a fix for that bug would close this one, but that bug also looks inactive. If it is really intended to leave these bugs unfixed, then you might want to state why and mark as WONTFIX or FUTURE.
Assignee: bross2 → nobody
I am unable to reproduce this bug, testing jared@msu.edu on a new tab in Firefox Nightly 21.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.