Closed Bug 115048 Opened 23 years ago Closed 23 years ago

Mozilla complains about insecure form submission that is secure.

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 63095

People

(Reporter: ramon, Assigned: alexsavulov)

References

(
URL
)

Details

From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.6) Gecko/20011120 BuildID: 2001112012 Mozilla complains about an insecure form submission. The URL of the form submission is originally insecure. However the javascript code of the page changes it to a secure address, by assigning the action member of the form: document.MenuHome.action= chSecurity(document.MenuHome.action) Debugging the page with Mozilla javascript debugger confirms that document.MenuHome.action is sucessfully assigned to https://www.ebankinter.com/www/es-es/cgi/ebk+login , just before the call to document.MenuHome.submit() (see line 267 and below). However, Mozilla complains about an insecure form submission. According to tcpdump traces, the submission is actually secure. This problem might seem small from the point of view of a software developer. However, from the point of view of users it creates a concern about security of data transmitted. This is the reason why I put the severity to major. Reproducible: Always Steps to Reproduce: 1. Ensure that in Preferences, Privacy & Security/SSL Warnings "Sending data from an unencrypted page to an unencrypted page" is enabled. 2. Open http://www.ebankinter.com/www/es-es/cgi/ebk+home 3. Put a random user under "Usuario" and a random password under "Contraseña" Actual Results: Mozilla complains about an insecure form submission. Expected Results: Mozilla should not complain. I place here a sample html code to make you easier to debug the problem. A correct browser should not not show any warning after clicking in the text "Click here". <html> <body> <script> function secureSend() { document.someform.action="https://www.redhat.com"; document.someform.submit(); } </script> <form name=someform action="http://www.redhat.com/" method="POST""> <input name="rnddata" maxlength="12" size="10" type="text"> <a onclick="secureSend(); return false;" href="kk.html"> Click here to test </a> </form> </body> </html>
> However, from the point of view of users it creates a concern about security of > data transmitted. As well it should. With an insecure posting page you have no guarantees that the data is being posted to where you _think_ it's being posted to. So the problem here is not that the form action is insecure, but that the page the form is in is insecure. Details in bug 63095 Duplicate of 'Submitting form with https action from http page brings up a "the information you submit is insecure" dialog' *** This bug has been marked as a duplicate of 63095 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
verifying
Status: RESOLVED → VERIFIED
Component: HTML: Form Submission → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.