Closed
Bug 1221206
Opened 9 years ago
Closed 8 years ago
Turn on Insecure Password Warning for Firefox Dev Edition
Categories
(Firefox :: Security, defect, P1)
Tracking
()
People
(Reporter: tanvi, Assigned: tanvi)
References
(Blocks 1 open bug)
Details
(Keywords: site-compat, Whiteboard: [fxprivacy])
Attachments
(1 file)
|
1.13 KB,
patch
|
MattN
:
review+
|
Details | Diff | Splinter Review |
The pref for this is nightly only right now (https://bugzilla.mozilla.org/show_bug.cgi?id=1217156). This bug is to enable in on dev edition. The "depends on" bugs below are blocking this change. So far they are: https://bugzilla.mozilla.org/show_bug.cgi?id=1217766 - don't warn for pdf.js https://bugzilla.mozilla.org/show_bug.cgi?id=1217133 - don't warn for localhost I don't think the other bugs (dependencies of the meta bug 1217142) are needed to turn this feature on for developer edition. If others disagree, please provide your thoughts here.
|
||
Updated•9 years ago
|
Whiteboard: [fxprivacy] → [fxprivacy] [triage]
|
Assignee | |
Comment 1•9 years ago
|
||
Pasted the wrong bugs into dependencies. Fixing.
|
|
||
Comment 2•9 years ago
|
||
Will be prioritized as a 'P1' and added to the Release 45 plan once the two dependencies are resolved.
Priority: -- → P2
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
|
|
Assignee | |
Comment 3•9 years ago
|
||
I'll do this once the dependencies are resolved.
Assignee: nobody → tanvi
|
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
Priority: P2 → P3
|
||
Comment 4•9 years ago
|
||
Release Note Request (optional, but appreciated) [Why is this notable]: Improve the security of our users [Suggested wording]: Usage of the password field on HTTP marks the website as insecure [Links (documentation, blog post, etc)]: Not to link against a third party website but FYI: http://www.ghacks.net/2015/10/21/firefox-44-special-notification-if-logins-are-not-secure/
relnote-firefox:
--- → ?
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #4) > Release Note Request (optional, but appreciated) > [Why is this notable]: Improve the security of our users > [Suggested wording]: Usage of the password field on HTTP marks the website > as insecure > [Links (documentation, blog post, etc)]: Not to link against a third party > website but FYI: > http://www.ghacks.net/2015/10/21/firefox-44-special-notification-if-logins- > are-not-secure/ This hasn't happened yet, so we don't need release notes yet. This is only turned on in Nightly. We hope to turn it on in dev edition in Firefox 46. We need to close all the dependencies first.
|
||
Comment 6•8 years ago
|
||
We are a week away from 46 moving to aurora. Is this ready to ship to dev edition? It looks like bug 1179961 and bug 667233 may be related as well and they have some dependencies not noted here. We should also get ready for QE to test this feature in mid-aurora. How will this be disabled for aurora, if we need to do that?
| Comment hidden (advocacy) |
|
||
Comment 8•8 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > We are a week away from 46 moving to aurora. Is this ready to ship to dev > edition? I think the dependencies here are correct, we're waiting on bug 1217766, that will also fix bug 1221771 unless it's heavily changed in review. > How will this be disabled for aurora, if we need to do that? This bug will just switch the default state of the preference by changing the "#ifdef", we can back it out if other major blockers arise later. http://mxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#1397
Flags: needinfo?(tanvi)
|
|
Assignee | |
Comment 9•8 years ago
|
||
(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #6) > How will this be disabled for aurora, if we need to do that? This feature is already disabled on aurora. If we get 121776 and 1221771 done by next week, I will add a patch here to enable this on aurora and push that. The other bugs you mentioned is a blocker to get this in release, which we aren't going to do just yet. We want to give developers a chance to fix their issues by keeping this warning on dev edition for a bit.
|
|
Assignee | |
Comment 10•8 years ago
|
||
All the dependencies for turning this on the insecure password warning for dev edition are fixed[1]. Here is a patch to turn the warning on for non-release and non-beta builds. This will include nightly, dev edition, and local nightly and dev edition builds. [1] The Learn More link bug isn't closed, but only because of a couple minor edits that just need to be approved. It is okay as it is as well, so we can considered that bug done.
Attachment #8710111 -
Flags: review?(MattN+bmo)
|
||
Comment 11•8 years ago
|
||
Comment on attachment 8710111 [details] [diff] [review] Bug1221206-01-20-16.patch Review of attachment 8710111 [details] [diff] [review]: ----------------------------------------------------------------- I think the current Control Center panel string is confusing for the developer audience and should be revised at some point.
Attachment #8710111 -
Flags: review?(MattN+bmo) → review+
|
|
Assignee | |
Updated•8 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Updated•8 years ago
|
Keywords: checkin-needed
|
||
Comment 13•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b6f7edabbf1e
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
|
||
Comment 14•8 years ago
|
||
The site compatibility doc is here: https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-login-form-will-be-marked-insecure/
|
|
||
Updated•8 years ago
|
Iteration: --- → 46.3 - Jan 25
Flags: qe-verify?
Priority: P3 → P1
|
|
||
Updated•8 years ago
|
Keywords: site-compat
|
|
Assignee | |
Comment 15•8 years ago
|
||
(In reply to Kohei Yoshino [:kohei] from comment #14) > The site compatibility doc is here: > https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing- > login-form-will-be-marked-insecure/ Thank you Kohei!
|
||
Updated•8 years ago
|
Flags: qe-verify? → qe-verify+
QA Contact: paul.silaghi
|
|
||
Comment 16•8 years ago
|
||
Noted for aurora 46 with a link to https://www.fxsitecompat.com/en-CA/docs/2015/non-https-sites-containing-login-form-will-be-marked-insecure/
|
||
Comment 17•8 years ago
|
||
Bug 1217133, bug 1217766 are verified fixed. Tested on 46.0a2 (2016-01-25) Win7: - security.insecure_password.ui.enabled=TRUE - The lock with a strikethrough is displayed fine on the test pages: http://people.mozilla.org/~tvyas/password/password_insecure.html http://people.mozilla.org/~tvyas/password/frame_password.html Verified fixed.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•