Open Bug 208881 Opened 21 years ago Updated 2 years ago

warn about possible web spoofing: warn if form action domain is different from domain where form came from

Categories

(Core :: DOM: Core & HTML, enhancement)

enhancement

Tracking

()

People

(Reporter: hauser, Unassigned)

Details

Attachments

(1 file)

35.50 KB, application/octet-stream
Details
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519

Most users probably have a hard time understanding this subtlety and posting a
form to a different domain than where the html generating the form came from may
be perfectly legitimate.

However, it would be great to be able under preferences to configure being
warned about this.

See example discussed on security mailing lists attached.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Attached file payPalSpoof.msg
sorry for attaching this in Outlook format (no clue what the best portable
message storage format would be...).

At least when I save the mail as .html and load it with Mozilla, I don't seem
to get an error for https either.
Confirming as a new RFE.
Also note bug 168274, about exposing the form action more visibly in all cases.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: form-submission → nobody
QA Contact: ashshbhatt → form-submission
Component: HTML: Form Submission → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: