Closed Bug 1235022 Opened 10 years ago Closed 10 years ago

When you use the FTP protocol in browser, you can bypass authentication with Javascript blocking.

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
43 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: whitematt3r, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20151216175450 Steps to reproduce: I visited the FTP server of my website with NoScript enabled. Actual results: It didn't ask me to authenticate but instead just took me to the files. Expected results: I should have been prompted to authenticate.
Sorry, I meant that this happens when I click on an FTP url, not just typing it out.
If the FTP server is secured and normally prompts for credentials, the only way this would happen is if the browser knew the credentials and/or was reusing the existing connection to the FTP server, which isn't a bug and has nothing to do with JS or noscript. Firefox cannot magically know the credentials for your FTP server. I'm going to open this up and mark it as invalid. If I've misunderstood, please be more explicit and try to reproduce in a new Firefox profile ( https://support.mozilla.org/kb/profile-manager-create-and-remove-firefox-profiles ) with and without just noscript installed.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.