Bug 1571003 Comment 9 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

### Beta/Release Uplift Approval Request
* **User impact if declined**: DoS causing degraded browser performance and possibly OS instability. Prompts steal focus and make it difficult to close the website or browser. We've observed this being abused in the wild for phishing.
* **Is this code covered by automated tests?**: No
* **Has the fix been verified in Nightly?**: No
* **Needs manual test from QE?**: Yes
* **If yes, steps to reproduce**: Confirmation prompts listed below should *not* show when opening the sites in default configuration.

AutomaticAuth shows when opening something like "http://user:password@jigsaw.w3.org/HTTP/Basic/" (directly shows login prompt when disabled)
SuperfluosAuth shows for something like "http://facebook.com@example.com". (no prompt when disabled)
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Medium
* **Why is the change risky/not risky? (and alternatives if risky)**: Medium risk, because with the anti spoofing dialogs disabled we might open a new attack vector. We will watch this closely and introduce telemetry (Bug 1594613) to see how widely userinfo in the URI is (ab)used.
* **String changes made/needed**:
### Beta/Release Uplift Approval Request
* **User impact if declined**: DoS causing degraded browser performance and possibly OS instability. Prompts steal focus and make it difficult to close the website or browser. We've observed this being abused in the wild for phishing.
* **Is this code covered by automated tests?**: No
* **Has the fix been verified in Nightly?**: No
* **Needs manual test from QE?**: Yes
* **If yes, steps to reproduce**: Confirmation prompts listed below should *not* show when opening the sites in default configuration.

AutomaticAuth shows when opening something like "http://user:password@jigsaw.w3.org/HTTP/Basic/" (directly shows login prompt when disabled)
SuperfluosAuth shows for something like "http://facebook.com@example.com". (no prompt when disabled)
* **List of other uplifts needed**: None
* **Risk to taking this patch**: Medium
* **Why is the change risky/not risky? (and alternatives if risky)**: Medium risk, because with the anti spoofing dialogs disabled we might open a new attack vector. We will watch this closely and introduce telemetry (Bug 1594613) to see how widely userinfo in the URI is (ab)used. See comment by :dveditz for a more in depth explanation.
* **String changes made/needed**:

Back to Bug 1571003 Comment 9