Bug 1600493 Comment 20 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

@Magnus:
Yeah, if you wanted, I guess it could be fixed this way. If the http call didn't redirect to https, return an error.
I'd rather not complicate the code for this extreme edge case, or even break other cases for it, but I'll have to see how this would look like in code. It's possible that there is a clean fix.

@Gunter:
> wildcard DNS entries are not that uncommon, and AFAIK there's also no rule or convention which forbids a domain's default host to use HTTP Basic Authentication.

Wildcard DNS entries are generally a bad idea, for reasons like this. Some hosters offer them. But they break a lot of stuff. This isn't the only thing that will go wrong.

DNS wildcards surely do exist, I've never seen one with HTTP auth on it. Usually, they just redirect to the main website. Sure, it's not forbidden, but it causes this specific issue here.
@Magnus:
Yeah, if you wanted, I guess it could be fixed this way. If the http call didn't redirect to https, return an error.
I'd rather not complicate the code for this extreme edge case, or even break other cases for it, but I'll have to see how this would look like in code. It's possible that there is a clean fix.

@Gunter:
> wildcard DNS entries are not that uncommon, and AFAIK there's also no rule or convention which forbids a domain's default host to use HTTP Basic Authentication.

Wildcard DNS entries are generally a bad idea, for reasons like this. Some hosters offer them. But they break a lot of stuff. This isn't the only thing that will go wrong.

DNS wildcards surely do exist, I've never seen one with HTTP auth on it. Usually, they just redirect to the main website. Sure, it's not forbidden, but it causes this specific issue here

> sending login credentials via unencrypted channels is probably no really good idea nowadays

We're not.
@Magnus:
Yeah, if you wanted, I guess it could be fixed this way. If the http call didn't redirect to https, return an error.
I'd rather not complicate the code for this extreme edge case, or even break other cases for it, but I'll have to see how this would look like in code. It's possible that there is a clean fix.

@Gunter:
> wildcard DNS entries are not that uncommon, and AFAIK there's also no rule or convention which forbids a domain's default host to use HTTP Basic Authentication.

Wildcard DNS entries are generally a bad idea, for reasons like this. Some hosters offer them. But they break a lot of stuff. This isn't the only thing that will go wrong.

DNS wildcards surely do exist, I've never seen one with HTTP auth on it. Usually, they just redirect to the main website. Sure, it's not forbidden, but it causes this specific issue here.

Your server *does* respond to AutoDiscover requests, so your server is clearly causing this bug, and not TB.

> sending login credentials via unencrypted channels is probably no really good idea nowadays

We're not.

Back to Bug 1600493 Comment 20