Bug 1528189 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

mail

on 2019-02-15 02:32:18 PST

(Hidden by Administrator)

Revision 1 by

Matthew N. [:MattN]

on 2019-04-01 15:27:37 PDT

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

Run the following HTML form on a domain with a valid HTTPS connection:

```html
<form enctype="application/x-www-form-urlencoded" method="post">
  <label>
    Your organization
    <input type="text" name="tenant" minlength="4" maxlength="255" value="" autocomplete="organization" required>
  </label>
  <label>
    Email Address
    <input type="email" name="email" minlength="6" maxlength="255" autocomplete="email" required>
  </label>
  <label>
    Password
    <input type="password" name="password" minlength="6" maxlength="255" autocomplete="current-password" required>
  </label>
  <button type="submit">Submit</button>
</form>
```

Enter the password field and start editing.


Actual results:

When you enter the password field you'll see the dropdown with the warning "This connection is not secure. Logins entered here could be compromised. Learn more." which is completely misleading because when the form's `action` attribute is empty the form is submitted via HTTPS to the same endpoint it's rendered from (according to this HTML spec 4.10.21.3 item #12 https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#form-submission-algorithm). It's also displayed that way in the Network section of the dev tools.


Expected results:

I expect this security warning to be not displayed because the form is submitted via HTTPS and there is no security risk.