HTTP 401 errors will trigger login prompts when inlined on third party websites

UNCONFIRMED
Unassigned

Status

()

Core
Networking: HTTP
P3
normal
UNCONFIRMED
2 years ago
3 months ago

People

(Reporter: josh, Unassigned)

Tracking

41 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [necko-backlog])

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2371.0 Safari/537.36

Steps to reproduce:

Using the <img /> tag to inline content from a website (even 3rd party remote websites) that are behind an HTTP Authentication screen will trigger a prompt asking for login credentials.

For instance, link this image on a forum.
http://filthyfigments.com/members/comics/onelatenight/0109.jpg


Actual results:

You will get this prompt.
http://i.imgur.com/WOgt5Ec.png

This scares the hell out of people.


Expected results:

I expected a broken image. When someone tried to link this image (which apparently belongs to a paid-user area of a porn site), dozens of people browsing the index page of my website who use Mozilla Firefox got a prompt asking them for their porn site credentials, which made them believe their browser or my website was compromised by a virus.

Nobody who was introduced to computers in the last decade has used an HTTP Authentication form. Nobody knows what they look like. This should be hidden unless you are accessing the document directly.

Updated

2 years ago
Blocks: 61681
Component: Untriaged → Networking: HTTP
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
if you go to about:config and then search for:
network.auth.subresource-http-auth-allow

and change it value to 1.
This will not allow an authentication dialog to prompt for cross-origin subresources. But we cannot put this as default because it breaks some sites and actually wonted behavior. 

see bug 647010.
(Reporter)

Comment 2

2 years ago
Well, that's just another reason to keep using Chrome I guess. I feel bad for people who trust FireFox at work and visit an unsuspecting website only to see "Enter in your fetishlord.xxx details!" throw up on the middle of the screen. Very few people use 401s in 2015, especially in this obscure and counter intuitive way. I think it's OK to tell the Internet to grow up sometimes.
(Reporter)

Comment 3

2 years ago
Proof of concept:
http://animalfetishporn.us/

I sincerely believe this will be abused and have done my part to make sure that happens.
Whiteboard: [necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
You need to log in before you can comment on or make changes to this bug.