Open
Bug 1337338
Opened 7 years ago
Updated 2 years ago
When a http form is injected via JavaScript the padlock doesn't change to broken
Categories
(Toolkit :: Password Manager, defect, P3)
Tracking
()
NEW
People
(Reporter: jkt, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [fxprivacy])
STR:
1. Go to: mozilla.com
2. Open the developer console and submit:
let form = document.createElement('form'); form.setAttribute("action","http://example.com"); form.innerHTML = "<input type=\"password\"/>"; document.body.appendChild(form);
The console warns with:
Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.
However the insecurePassword padlock isn't present in the URL bar like it is for: http://http-dynamic-login.badssl.com/
However going to: http://http-credit-card.badssl.com/ (which currently doesn't break the padlock and changing a text field in the inspector to a password breaks the padlock)
|
Reporter | |
Comment 1•7 years ago
|
||
Interestingly this works in a content script in an extension (which was my initial use-case) perhaps there is a race condition causing the padlock not to be broken after load? Even with a setTimeout the extension still works though.
|
||
Comment 2•7 years ago
|
||
Jonathan: who implemented the UI for this? we should needinfo or assign to that person but it sounds more front-end than backend "DOM Security".
Flags: needinfo?(jkt)
|
|
Reporter | |
Updated•7 years ago
|
Component: DOM: Security → Security
Flags: needinfo?(jkt) → needinfo?(paolo.mozmail)
Product: Core → Firefox
|
||
Comment 3•7 years ago
|
||
This bug probably needs to be moved to the right front-end component.
Flags: needinfo?(paolo.mozmail)
Flags: needinfo?(jhofmann)
Flags: needinfo?(MattN+bmo)
|
||
Comment 4•7 years ago
|
||
I think this is Password Manager :)
Component: Security → Password Manager
Flags: needinfo?(jhofmann)
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit
Whiteboard: [fxprivacy] [triage]
|
||
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
|
|
Reporter | |
Comment 5•7 years ago
|
||
:MattN asked if the field had an in context warning on the password field... I can confirm that it does. This may reduce the priority.
Priority: P3 → --
Whiteboard: [fxprivacy] → [fxprivacy] [triage]
|
||
Updated•7 years ago
|
Priority: -- → P4
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
It seems that the extension case has recently regressed¹, as https://addons.mozilla.org/firefox/addon/snap-http-padlocks/ no longer seems to work. ¹ possibly as a result of bug 1310447
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•