Closed
Bug 121792
Opened 23 years ago
Closed 23 years ago
User can see content of password and hidden fields in page info, and this option cannot be turned off
Categories
(SeaMonkey :: Page Info, defect)
SeaMonkey
Page Info
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: atmjav, Assigned: db48x)
References
Details
Attachments
(2 files, 1 obsolete file)
1.47 KB,
patch
|
caillon
:
review+
jag+mozilla
:
superreview+
|
Details | Diff | Splinter Review |
1.01 KB,
text/html
|
Details |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:0.9.7+) Gecko/20020124 BuildID: 2002012403 User can see content of password and hidden fields in page info - it's great! But there should be ability (some users share computer and Mozilla with others) to turn this option off or to require special password for this option. Something like "Show value of the password fields in Page Info: freely/require password [change password]/off". If you will decide that this is not critical, I will agree with you. I think, an option to see value of hidden and password fields is very useful, so thank you!
Assignee | ||
Comment 1•23 years ago
|
||
yes, this is a bug. some would say critical, some not. trivial to fix, unless you really really think it's worth bothering with extra passwords and prefs and stuff.
Assignee: trudelle → db48x
Blocks: 82059
Severity: minor → trivial
Status: UNCONFIRMED → NEW
Component: XP Apps → XP Apps: GUI Features
Ever confirmed: true
OS: Windows 98 → All
Hardware: PC → All
Reporter | ||
Comment 2•23 years ago
|
||
May be, you could connect this option to the Master Password?
Assignee | ||
Comment 3•23 years ago
|
||
could, technically. still lots and lots more work.
Assignee | ||
Comment 4•23 years ago
|
||
oh, and fwiw, I don't consider the fact that you can see the values of hidden fields bad, after all you can just do view-source and see the same information.
Reporter | ||
Comment 5•23 years ago
|
||
Yes, you are right. But what about password fields... May be, if user sets Master Password, he can expect that another user cannot get his stored passwords... even via Page Info... However, I think, it's not critical. So, if you think it's not critical too, we will decide that all is correct.
Assignee | ||
Comment 6•23 years ago
|
||
this is pretty much the simplest possible fix. Personally I think it is sufficient, simple because I don't think it's worth the trouble to ask the user for a password in order to let him view page info.
Comment 7•23 years ago
|
||
Agreed, asking passwords for this would be intolerable.
Comment 8•23 years ago
|
||
Fwiw, this change won't prevent me from using a bookmarklet to extract passwords from a web form. (I offered to give my dad a bookmarklet to do exactly that when Gator, a password manager add-on for IE that he used, turned from freeware to spyware.) I still think this page info bug should be fixed, since most users won't think of writing a bookmarklet to steal a password.
Comment 9•23 years ago
|
||
Comment on attachment 66562 [details] [diff] [review] simplest fix >+ var val = (elem.type.match(/password/i)) ? theBundle.getString("formPassword") : elem.value; Instead, do: var val = (elem.type == "password") ? theBundle.getString("formPassword") : elem.value; the .type property is lowercased regardless as it is defined in HTML 4 (the DOM spec explicitly references HTML 4 which uses lowercase). See: http://www.w3.org/TR/1998/REC-DOM-Level-1-19981001/level-one-html.html#ID-62883 744 http://www.w3.org/TR/2001/WD-DOM-Level-2-HTML-20011210/html.html#ID-62883744 http://www.w3.org/TR/REC-html40/interact/forms.html#adef-type-INPUT
Attachment #66562 -
Flags: needs-work+
Assignee | ||
Comment 10•23 years ago
|
||
Attachment #66562 -
Attachment is obsolete: true
Comment 11•23 years ago
|
||
Comment on attachment 66653 [details] [diff] [review] nifty r=caillon
Attachment #66653 -
Flags: review+
Component: XP Apps: GUI Features → Page Info
QA Contact: sairuh → pmac
Reporter | ||
Comment 13•23 years ago
|
||
I'm sorry, but if you disable this option for all users with no way to enable it, no user will be able to read HIS OWN password if he forgot it, but website remembers.
Comment 14•23 years ago
|
||
Alexander Hessentswey: IMHO it's correct.
Assignee | ||
Comment 15•23 years ago
|
||
You could make the same argument against the stars that show up in place of the actuall characters in the original input fields. Besides, if the user (or anyone else, for that matter) really really wants to know the password, there _are_ ways to get it. And I'm not talking about mucking about in the profile or anything complicated like that.
Reporter | ||
Comment 16•23 years ago
|
||
May be, the best variants are 1) only block viewing of the password field value with PageInfo (Master Password) or 2) leave it as is
Comment 17•23 years ago
|
||
Comment on attachment 66653 [details] [diff] [review] nifty Just tested that Mozilla actually does the right thing for <input type="PASSWORD">. sr=jag.
Attachment #66653 -
Flags: superreview+
Comment 18•23 years ago
|
||
fix checked in
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Summary: User can see content of password and hidden fields in page info, and this option cannot be turnet off → User can see content of password and hidden fields in page info, and this option cannot be turned off
Comment 20•22 years ago
|
||
Strange behaviour: - on Forms tab password is substituted by '*******' - on Links tab password is visible (Form Submission link) I don't know what is the correct behaviour but actually it is not coherent.
Comment 21•22 years ago
|
||
It shouldn't be on the links tab. Could you attach your HTML to this bug using http://bugzilla.mozilla.org/attachment.cgi?bugid=121792&action=enter ?
Comment 22•22 years ago
|
||
Fill this simple form and open Page Info, then Links tab; the third row contains the password Enrico
Comment 23•22 years ago
|
||
Enrico Scoda: wfm with a 1 day old CVS (no password in the link tab)
Comment 24•21 years ago
|
||
*** Bug 182883 has been marked as a duplicate of this bug. ***
Comment 25•21 years ago
|
||
*** Bug 195023 has been marked as a duplicate of this bug. ***
Updated•20 years ago
|
Product: Browser → Seamonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•