Closed Bug 1167918 Opened 10 years ago Closed 9 years ago

Spurious "insecure password form" warning in devconsole when signing into FxA

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 983326

People

(Reporter: francois, Unassigned)

Details

Attachments

(1 file)

Screenshot of the error message
40.09 KB, image/png
Details
The Firefox Account sign-in page (about:accounts) triggers a warning in the devconsole which claims that the password field is on an insecure page. STR: 1. open the devtool console 2. sign into FxA using the hamburger menu
The code is checking against a list of protocol flags to determine whether or not the page is safe for a password field: https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm#78 "safe" about: pages are supposed to be covered in URI_SAFE_TO_LOAD_IN_SECURE_CONTEXT: http://mxr.mozilla.org/mozilla-central/source/netwerk/base/nsIProtocolHandler.idl#256 http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/about/nsAboutProtocolHandler.cpp#237 One or two things need to happen here. 1) We need to expand InsecurePasswordUtils.jsm to include all about: pages. Passwords on any about: page wouldn't create a security risk (this sounds true to me). 2) We need to add the "safe" about: flag to about:accounts. I can't recall the differences between safe-about and unsafe-about, but I think it has to do something with whether or not an about: resource can be embedded. (Marking about:accounts as safe may or may not be the right thing to do; we'd need to find out more.)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: