278177 - Make password manager recognize www for passwords

Status: RESOLVED INVALID

(Toolkit :: Password Manager, enhancement)

Description

[Aaron Slunt]

Here's an example: logging in to spreadfirefox.

If you login using http://spreadfirefox.com and get password manager to remember
it, it'll store fine. Yay. Now, if you try to login
http://www.spreadfirefox.com, the password is not there: the password manager
sees the www and assumes it's not the same site. I see why this is there: for
subdomains and stuff. However, I believe the password manager should exclude www
when looking for remembered passwords, so the saved password works on
http://www.spreadfirefox.com and http://spreadfirefox.com

Comment 1

[Gabriel Sjoberg]

Changing to enhancement.

-1 Vote from me.

Comment 2

[David P James]

Mass edit: Changing QA to default QA Contact

Comment 3

[Robert Chapin]

Recommend invalid.

CNAME entries do not imply same website, due to host headers.

Comment 4

[Stephanie Daugherty [:sdaugherty]]

90-99% of the time, this would probably work. However, there are instances where http://www.example.com/ and http://example.com/ are not the same site, and possibly even rare instances where this would present a security risk. I would think that this is why the behavior is as it is.

This is probably a WONTFIX, but that's not my call - confirming so that a developer can make a decision on this.

Comment 5

[Robert Chapin]

(In reply to comment #4)
> and possibly even rare instances where this would present a security risk. I
> would think that this is why the behavior is as it is.

Current behavior is based on HTTP, DNS protocol, and the Mozilla Same Origin Rule.  These are implemented by every web server and client, not "rare instances".  This is not a valid bug.