Closed
Bug 105024
Opened 24 years ago
Closed 24 years ago
Alert dialog is ignored when leaving an encrypted page
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
Future
People
(Reporter: ccurtis0, Assigned: ssaux)
Details
I had just placed an order online (SSL) and then typed in another URL in the
location bar (non-SSL) [Order at OCIE.com, went to check status at
googlegear.com] and the Alert dialog popped up warning that I was leaving an
encrypted site, but the page loaded in the background while the dialog was active.
I guess that there is no "Cancel" on this dialog, so it doesn't really matter,
but I haven't been able to reproduce it (going from etrade.com (SSL) to
google.com (non-SSL)) so it seems like a buglet somewhere (inconsistency).
Running build 2001100821 under Debian GNU/Linux unstable, kernel 2.4.6.
Comment 1•24 years ago
|
||
This is a security problem, since the URL you are going to could contain GET
data that you have now sent to a server over an unencrypted channel.
Assignee: asa → ssaux
Severity: minor → major
Status: UNCONFIRMED → NEW
Component: Browser-General → Client Library
Ever confirmed: true
Product: Browser → PSM
QA Contact: doronr → junruh
Version: other → 2.1
| Assignee | ||
Comment 2•24 years ago
|
||
In the example given by the reporter, typing an URL in the URL bar can't
possibly compromise any of the user's information, unless he types confidential
information.
Priority: -- → P3
Target Milestone: --- → Future
| Reporter | ||
Comment 3•24 years ago
|
||
Since all I did was report it, I'm not going to change any settings, but it
doesn't seem to me like it's that big of a deal -- The dialog says "You are
leaving", not "Are you sure?" and your only option is "OK". You cannot cancel
the operation - you ARE leaving the SSL site, no matter what your intents after
seeing the dialog.
Perhaps the dailog needs to be changed to allow you to cancel the operation. I
setup this page on an SSL site (maybe mozilla is too smart for me):
<html>
<head>
<title>foo</title>
</head>
<body>
<a href="http://non-ssl.com/foo.html?foo=bar">click me</a>
</body>
</html>
And when I clicked to leave the site (with my credit card number now stored in
the variable 'foo' [eg]) the dialog appeared: "You ARE leaving" and now my card
number is exposed in the URL bar on my non-SSL site.
This does seem like a security problem - there has to be a way to cancel the
operation.
Comment 4•24 years ago
|
||
*** This bug has been marked as a duplicate of 62178 ***
Status: NEW → RESOLVED
Closed: 24 years ago
OS: Linux → All
Hardware: PC → All
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•