Closed Bug 1331224 Opened 7 years ago Closed 7 years ago

Spurious insecure password warning on Bugzilla

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1329940
Tracking Flags:
Tracking Status
firefox53 --- affected

People

(Reporter: ekr, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(1 file, 1 obsolete file)

Screen Shot 2017-01-14 at 5.36.16 PM.png
646.73 KB, image/png
Details
Attached image Screen Shot 2017-01-14 at 5.34.19 PM.png (obsolete) — 
      No description provided.

        Attachment #8826893 -
        Attachment is obsolete: true

    
    

    
  
P.S. This was Nightly

    
    

    
  
From the screenshot I can see you were on enter_bug.cgi, what linked you to this page? If it was an insecure site then window.opener could have been insecure and this would be a dupe of bug 1329940.
Blocks: 1304224
URL: https://bugzilla.mozilla.org/enter_bu...
Component: Untriaged → Password Manager
Flags: needinfo?(ekr)
Product: Firefox → Toolkit
See Also:  → 1329940

    
    

    
  
I went to b.m.o and clicked "new".

Unfortunately, I can't repro it.
Flags: needinfo?(ekr)

    
    

    
  
I don't know why bugzilla.mozilla.org wouldn't be a secure context, but given this intermittent bug and others, I think we should switch to a more naive approach (isOriginPotentiallyTrustworthy) instead of using isSecureContext.  See bug https://bugzilla.mozilla.org/show_bug.cgi?id=1329940.  We can use isSecureContext in Nightly and debug issues and reports that come up there, until we are satisfied enough to use it in release.

    
    

    
  
(In reply to Tanvi Vyas - behind on bugmail [:tanvi] from comment #5)
> I don't know why bugzilla.mozilla.org wouldn't be a secure context, but
> given this intermittent bug and others, I think we should switch to a more
> naive approach (isOriginPotentiallyTrustworthy) instead of using
> isSecureContext.  See bug
> https://bugzilla.mozilla.org/show_bug.cgi?id=1329940.  We can use
> isSecureContext in Nightly and debug issues and reports that come up there,
> until we are satisfied enough to use it in release.

I don't have any reason to think this isn't caused by window.opener and therefore a dupe of bug 1329940. When the problem occurs we need to see the web console output for window.opener. In case you didn't know window.opener persists across top-level cross-origin loads so likely the tab in the screenshot was originally opened from an insecure context.

    
    

    
  
Duping to bug 1329940. Re-open if you can show that window.opener in your web console is secure.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: