Closed
Bug 1052247
Opened 10 years ago
Closed 7 years ago
FxAccountsOAuthClient should require HTTPS URLs
Categories
(Firefox :: Firefox Accounts, defect, P2)
Firefox
Firefox Accounts
Tracking
()
RESOLVED
FIXED
Firefox 58
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | fixed |
People
(Reporter: MattN, Assigned: tcsc)
References
Details
Attachments
(1 file)
We should enforce at the FxAccountsOAuthClient level that OAuth is done over HTTPS, not HTTP.
|
||
Comment 1•10 years ago
|
||
I don't disagree. One note: we enforce HTTPS the FxA Auth URL in the browser without any easy way to override, and it's a PITA to do dev against a local HTTP server. It would be nice to have a pref to disable that enforcement.
|
Reporter | |
Comment 2•10 years ago
|
||
Yeah, we will need a way to override it since XPCShell tests still don't allow HTTPS test servers (bug that is bug 466524. browser-chrome and other suites support this already). For UITour we added a pref browser.uitour.requireSecure that is true by default but can be flipped to false for developers.
|
||
Comment 3•10 years ago
|
||
(In reply to Matthew N. [:MattN] from comment #2) > Yeah, we will need a way to override it since XPCShell tests still don't > allow HTTPS test servers (bug that is bug 466524. browser-chrome and other > suites support this already). For UITour we added a pref > browser.uitour.requireSecure that is true by default but can be flipped to > false for developers. A custom setting such as "requireSecure" would be awesome! Currently for FxA we have: http://mxr.mozilla.org/mozilla-central/source/services/fxaccounts/FxAccounts.jsm#848 "Firefox Accounts server must use HTTPS"
|
||
Updated•7 years ago
|
Priority: -- → P2
|
|
||
Updated•7 years ago
|
Assignee: nobody → tchiovoloni
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 5•7 years ago
|
||
I'm not 100% sure if this was supposed to be via a new preference, or via same one mentioned in comment 3. I've assumed it's supposed to be a new one in this code.
|
||
Comment 6•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8915313 [details] Bug 1052247 - Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient. https://reviewboard.mozilla.org/r/186508/#review191684 This looks fine, but as you guessed I might say, I see no need for a new preference - this is a "debug only" preference, so I think it's fine to have a single pref that applies everywhere and is one less thing to confuse other devs.
Attachment #8915313 -
Flags: review?(markh)
| Comment hidden (mozreview-request) |
|
|
||
Comment 8•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8915313 [details] Bug 1052247 - Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient. https://reviewboard.mozilla.org/r/186508/#review192038 Thanks!
Attachment #8915313 -
Flags: review?(markh) → review+
Pushed by tchiovoloni@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1858ac6e5128 Enforce that OAuth is done over HTTPS in FxAccountsOAuthClient. r=markh
|
||
Comment 10•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1858ac6e5128
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
||
Updated•7 years ago
|
Product: Core → Firefox
|
||
Updated•7 years ago
|
Target Milestone: mozilla58 → Firefox 58
You need to log in
before you can comment on or make changes to this bug.
Description
•