Closed Bug 105024 Opened 24 years ago Closed 24 years ago

Alert dialog is ignored when leaving an encrypted page

Categories

(Core Graveyard :: Security: UI, defect, P3)

1.0 Branch

Tracking

(Not tracked)

VERIFIED DUPLICATE of bug 62178
Future

People

(Reporter: ccurtis0, Assigned: ssaux)

Details

I had just placed an order online (SSL) and then typed in another URL in the location bar (non-SSL) [Order at OCIE.com, went to check status at googlegear.com] and the Alert dialog popped up warning that I was leaving an encrypted site, but the page loaded in the background while the dialog was active. I guess that there is no "Cancel" on this dialog, so it doesn't really matter, but I haven't been able to reproduce it (going from etrade.com (SSL) to google.com (non-SSL)) so it seems like a buglet somewhere (inconsistency). Running build 2001100821 under Debian GNU/Linux unstable, kernel 2.4.6.
This is a security problem, since the URL you are going to could contain GET data that you have now sent to a server over an unencrypted channel.
Assignee: asa → ssaux
Severity: minor → major
Status: UNCONFIRMED → NEW
Component: Browser-General → Client Library
Ever confirmed: true
Product: Browser → PSM
QA Contact: doronr → junruh
Version: other → 2.1
In the example given by the reporter, typing an URL in the URL bar can't possibly compromise any of the user's information, unless he types confidential information.
Priority: -- → P3
Target Milestone: --- → Future
Since all I did was report it, I'm not going to change any settings, but it doesn't seem to me like it's that big of a deal -- The dialog says "You are leaving", not "Are you sure?" and your only option is "OK". You cannot cancel the operation - you ARE leaving the SSL site, no matter what your intents after seeing the dialog. Perhaps the dailog needs to be changed to allow you to cancel the operation. I setup this page on an SSL site (maybe mozilla is too smart for me): <html> <head> <title>foo</title> </head> <body> <a href="http://non-ssl.com/foo.html?foo=bar">click me</a> </body> </html> And when I clicked to leave the site (with my credit card number now stored in the variable 'foo' [eg]) the dialog appeared: "You ARE leaving" and now my card number is exposed in the URL bar on my non-SSL site. This does seem like a security problem - there has to be a way to cancel the operation.
*** This bug has been marked as a duplicate of 62178 ***
Status: NEW → RESOLVED
Closed: 24 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → DUPLICATE
vrfy dupe
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.