Open
Bug 1078088
Opened 10 years ago
Updated 2 years ago
Provide indicator when interacting with site in IFRAME
Categories
(Firefox :: Security, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: sime.vidas, Unassigned)
Details
(Keywords: dupeme, uiwanted, ux-control)
Attachments
(1 file)
|
182.93 KB,
image/png
|
Details |
Log in to PayPal dialog on GitHub
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 Build ID: 20140923175406 Steps to reproduce: GitHub provides a “Log in to PayPal” dialog by embedding https://paypal.com in an <iframe> (see attached screen shot) Actual results: Firefox does not provide any indicator that the log-in form in the dialog is a page from a different, authenticated origin. I see several problems with this: 1. The user doesn’t know who controls the log-in form (GitHub or PayPal). This may discourage the user from interacting with it. 2. A malicious site may trick the user into thinking that the log-in form is controlled by an third-party site (like PayPal) and thus, gaining access to the user’s password from that third party. Firefox does not guard against this. Expected results: Firefox should provide an indicator (preferably in the address bar) whenever the user is interacting with a site embedded in an <iframe>. That way, the user can be certain which origin controls a dialog at all times.
Keywords: uiwanted,
ux-control
Whiteboard: [DUPEME]
|
||
Updated•10 years ago
|
Component: Untriaged → Security
|
||
Updated•2 years ago
|
Severity: normal → S3
|
Reporter | |
Comment 1•2 years ago
|
||
Should I submit this on connect.mozilla.org? Would that be a better place for this proposal?
You need to log in
before you can comment on or make changes to this bug.
Description
•