Closed Bug 121792 Opened 23 years ago Closed 23 years ago

User can see content of password and hidden fields in page info, and this option cannot be turned off

Categories

(SeaMonkey :: Page Info, defect)

Product:
SeaMonkey
Component:
Page Info
Type:
defect
Priority:
Not set
Severity:
trivial

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: atmjav, Assigned: db48x)

References

Details

Attachments

(2 files, 1 obsolete file)

nifty
1.47 KB, patch
caillon
: review+
jag+mozilla
: superreview+
Details | Diff | Splinter Review
part of bugzilla login form
1.01 KB, text/html
Details 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.7+) Gecko/20020124
BuildID:    2002012403

User can see content of password and hidden fields in page info - it's great!
But there should be ability (some users share computer and Mozilla with others)
to turn this option off or to require special password for this option.
Something like "Show value of the password fields in Page Info: freely/require
password [change password]/off".

If you will decide that this is not critical, I will agree with you.

I think, an option to see value of hidden and password fields is very useful, so
thank you!
yes, this is a bug. some would say critical, some not. trivial to fix, unless
you really really think it's worth bothering with extra passwords and prefs and
stuff.
Assignee: trudelle → db48x
Blocks: 82059
Severity: minor → trivial
Status: UNCONFIRMED → NEW
Component: XP Apps → XP Apps: GUI Features
Ever confirmed: true
OS: Windows 98 → All
Hardware: PC → All
May be, you could connect this option to the Master Password?
could, technically. still lots and lots more work.
oh, and fwiw, I don't consider the fact that you can see the values of hidden
fields bad, after all you can just do view-source and see the same information.
Yes, you are right. But what about password fields... May be, if user sets
Master Password, he can expect that another user cannot get his stored
passwords... even via Page Info...

However, I think, it's not critical. So, if you think it's not critical too, we
will decide that all is correct.
Attached patch simplest fix (obsolete) — Splinter Review 
this is pretty much the simplest possible fix. Personally I think it is
sufficient, simple because I don't think it's worth the trouble to ask the user
for a password in order to let him view page info.
Agreed, asking passwords for this would be intolerable.
Fwiw, this change won't prevent me from using a bookmarklet to extract 
passwords from a web form.  (I offered to give my dad a bookmarklet to do 
exactly that when Gator, a password manager add-on for IE that he used, turned 
from freeware to spyware.)

I still think this page info bug should be fixed, since most users won't think 
of writing a bookmarklet to steal a password.
Comment on attachment 66562 [details] [diff] [review]
simplest fix

>+        var val = (elem.type.match(/password/i)) ? theBundle.getString("formPassword") : elem.value;

Instead, do:

	  var val = (elem.type == "password") ?
theBundle.getString("formPassword") : elem.value;

the .type property is lowercased regardless as it is defined in HTML 4 (the DOM
spec explicitly references HTML 4 which uses lowercase).

See:
http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/level-one-html.html#ID-62883
744
http://www.w3.org/TR/2001/WD-DOM-Level-2-HTML-20011210/html.html#ID-62883744
http://www.w3.org/TR/REC-html40/interact/forms.html#adef-type-INPUT
Attachment #66562 - Flags: needs-work+
Attached patch niftySplinter Review 

        Attachment #66562 -
        Attachment is obsolete: true

    
    

    
  
jag, could you sr= this one too please?
Status: NEW → ASSIGNED

    
  
Component: XP Apps: GUI Features → Page Info
QA Contact: sairuh → pmac

    
    

    
  
I'm sorry, but if you disable this option for all users with no way to enable
it, no user will be able to read HIS OWN password if he forgot it, but website
remembers.

    
    

    
  
Alexander Hessentswey: IMHO it's correct.

    
    

    
  
You could make the same argument against the stars that show up in place of the
actuall characters in the original input fields. Besides, if the user (or anyone
else, for that matter) really really wants to know the password, there _are_
ways to get it. And I'm not talking about mucking about in the profile or
anything complicated like that.

    
    

    
  
May be, the best variants are
1) only block viewing of the password field value with PageInfo (Master Password)
or
2) leave it as is

    
    

    
  
Comment on attachment 66653 [details] [diff] [review]
nifty

Just tested that Mozilla actually does the right thing for <input
type="PASSWORD">.

sr=jag.

        Attachment #66653 -
        Flags: superreview+

    
    

    
  
fix checked in
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Summary: User can see content of password and hidden fields in page info, and this option cannot be turnet off → User can see content of password and hidden fields in page info, and this option cannot be turned off

    
    

    
  
Verified the patch.

Status: RESOLVED → VERIFIED

    
    

    
  
Strange behaviour:
- on Forms tab password is substituted by '*******'
- on Links tab password is visible (Form Submission link)

I don't know what is the correct behaviour but actually it is not coherent.

    
    

    
  
It shouldn't be on the links tab.  Could you attach your HTML to this bug using
http://bugzilla.mozilla.org/attachment.cgi?bugid=121792&action=enter ?

    
    

    
  


  
Fill this simple form and open Page Info, then Links tab; the third row
contains the password

Enrico

    
    

    
  
Enrico Scoda: wfm with a 1 day old CVS (no password in the link tab)


    
    

    
  
*** Bug 182883 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 195023 has been marked as a duplicate of this bug. ***
Product: Browser → Seamonkey

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: