Open
Bug 1210885
Opened 9 years ago
Updated 2 years ago
HTTP 401 errors will trigger login prompts when inlined on third party websites
Categories
(Core :: Networking: HTTP, defect, P3)
Tracking
()
UNCONFIRMED
People
(Reporter: josh, Unassigned)
References
Details
(Whiteboard: [necko-backlog])
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2371.0 Safari/537.36 Steps to reproduce: Using the <img /> tag to inline content from a website (even 3rd party remote websites) that are behind an HTTP Authentication screen will trigger a prompt asking for login credentials. For instance, link this image on a forum. http://filthyfigments.com/members/comics/onelatenight/0109.jpg Actual results: You will get this prompt. http://i.imgur.com/WOgt5Ec.png This scares the hell out of people. Expected results: I expected a broken image. When someone tried to link this image (which apparently belongs to a paid-user area of a porn site), dozens of people browsing the index page of my website who use Mozilla Firefox got a prompt asking them for their porn site credentials, which made them believe their browser or my website was compromised by a virus. Nobody who was introduced to computers in the last decade has used an HTTP Authentication form. Nobody knows what they look like. This should be hidden unless you are accessing the document directly.
|
||
Updated•9 years ago
|
Blocks: 61681
Component: Untriaged → Networking: HTTP
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
|
||
Comment 1•9 years ago
|
||
if you go to about:config and then search for: network.auth.subresource-http-auth-allow and change it value to 1. This will not allow an authentication dialog to prompt for cross-origin subresources. But we cannot put this as default because it breaks some sites and actually wonted behavior. see bug 647010.
Well, that's just another reason to keep using Chrome I guess. I feel bad for people who trust FireFox at work and visit an unsuspecting website only to see "Enter in your fetishlord.xxx details!" throw up on the middle of the screen. Very few people use 401s in 2015, especially in this obscure and counter intuitive way. I think it's OK to tell the Internet to grow up sometimes.
Proof of concept: http://animalfetishporn.us/ I sincerely believe this will be abused and have done my part to make sure that happens.
|
||
Updated•8 years ago
|
Whiteboard: [necko-backlog]
|
||
Comment 4•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
|
|
||
Comment 5•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•