Closed
Bug 1052247
Opened 11 years ago
Closed 7 years ago
FxAccountsOAuthClient should require HTTPS URLs
Categories
(Firefox :: Firefox Accounts, defect, P2)
Firefox
Firefox Accounts
Tracking
()
RESOLVED
FIXED
Firefox 58
Tracking | Status | |
---|---|---|
firefox58 | --- | fixed |
People
(Reporter: MattN, Assigned: tcsc)
References
Details
Attachments
(1 file)
We should enforce at the FxAccountsOAuthClient level that OAuth is done over HTTPS, not HTTP.
Comment 1•11 years ago
|
||
I don't disagree. One note: we enforce HTTPS the FxA Auth URL in the browser without any easy way to override, and it's a PITA to do dev against a local HTTP server. It would be nice to have a pref to disable that enforcement.
Reporter | ||
Comment 2•11 years ago
|
||
Yeah, we will need a way to override it since XPCShell tests still don't allow HTTPS test servers (bug that is bug 466524. browser-chrome and other suites support this already). For UITour we added a pref browser.uitour.requireSecure that is true by default but can be flipped to false for developers.
Comment 3•11 years ago
|
||
(In reply to Matthew N. [:MattN] from comment #2)
> Yeah, we will need a way to override it since XPCShell tests still don't
> allow HTTPS test servers (bug that is bug 466524. browser-chrome and other
> suites support this already). For UITour we added a pref
> browser.uitour.requireSecure that is true by default but can be flipped to
> false for developers.
A custom setting such as "requireSecure" would be awesome!
Currently for FxA we have: http://mxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccounts.jsm#848
"Firefox Accounts server must use HTTPS"
Updated•7 years ago
|
Priority: -- → P2
Updated•7 years ago
|
Assignee: nobody → tchiovoloni
Comment hidden (mozreview-request) |
Assignee | ||
Comment 5•7 years ago
|
||
I'm not 100% sure if this was supposed to be via a new preference, or via same one mentioned in comment 3. I've assumed it's supposed to be a new one in this code.
Comment 6•7 years ago
|
||
mozreview-review |
Comment on attachment 8915313 [details]
Bug 1052247 - Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient.
https://reviewboard.mozilla.org/r/186508/#review191684
This looks fine, but as you guessed I might say, I see no need for a new preference - this is a "debug only" preference, so I think it's fine to have a single pref that applies everywhere and is one less thing to confuse other devs.
Attachment #8915313 -
Flags: review?(markh)
Comment hidden (mozreview-request) |
Comment 8•7 years ago
|
||
mozreview-review |
Comment on attachment 8915313 [details]
Bug 1052247 - Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient.
https://reviewboard.mozilla.org/r/186508/#review192038
Thanks!
Attachment #8915313 -
Flags: review?(markh) → review+
Pushed by tchiovoloni@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1858ac6e5128
Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient. r=markh
![]() |
||
Comment 10•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Updated•7 years ago
|
Product: Core → Firefox
Updated•7 years ago
|
Target Milestone: mozilla58 → Firefox 58
You need to log in
before you can comment on or make changes to this bug.
Description
•