Open
Bug 1281434
Opened 8 years ago
Updated 1 month ago
Work towards blocking of HTTP authentication dialogs from subresources
Categories
(Core :: Networking: HTTP, defect, P3)
Core
Networking: HTTP
Tracking
()
NEW
People
(Reporter: annevk, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [necko-triaged])
Showing HTTP authentication dialogs from subresources is confusing to users. Personal example: https://twitter.com/annevk/status/745556336981708800 I think there is two things we can do towards addressing this right away: 1. Measure how often it takes place. 2. Indicate in the developer console that this is problematic UX-wise. Then, depending on the numbers, we can maybe disable it altogether. We should also consider disabling it for new features (it's not disabled for fetch() mostly so that can preserve the existing functionality which is needed with service workers and such). Arguably these dialogs are always confusing, but cross-origin with the address bar is much more problematic. We should measure that separately and consider disabling those first.
|
||
Comment 1•8 years ago
|
||
See bug 647010 for some history and background. Is it possible to also measure subrequests that require authentication, but happen not to pop the dialog because the user already authenticated during the session? We might skip the "measure and deprecate" steps for cross-origin loads since Chrome already blocks those.
Blocks: 647010
|
||
Comment 2•8 years ago
|
||
Bug 647010 is a good bug to look at. We can not disable it because there is too many of them. Bug 1230462 was a start to fix this problem. Telemetry (for Nightly): https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-21&keys=__none__!__none__!__none__&max_channel_version=nightly%252F50&measure=HTTP_AUTH_DIALOG_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-06-06&table=0&trim=1&use_submission_date=0 and Telemetry for release (In current Nightly I made a fix to get the real top-uri(it was not always correct), so it is going to be more starting with FF50 :) https://telemetry.mozilla.org/new-pipeline/dist.html#!cumulative=0&end_date=2016-06-06&keys=__none__!__none__!__none__&max_channel_version=release%252F47&measure=HTTP_AUTH_DIALOG_STATS&min_channel_version=null&product=Firefox&sanitize=1&sort_keys=submissions&start_date=2016-06-04&table=0&trim=1&use_submission_date=0
|
|
||
Updated•8 years ago
|
Whiteboard: [necko-next]
|
||
Comment 4•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P2
|
||
Updated•7 years ago
|
Blocks: CVE-2018-5115
|
||
Comment 5•6 years ago
|
||
Moving to p3 because no activity for at least 1 year(s). See https://github.com/mozilla/bug-handling/blob/master/policy/triage-bugzilla.md#how-do-you-triage for more information
Priority: P2 → P3
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 6•1 month ago
|
||
Somewhat related to bug 32761, where we discuss blocking sending user:password@host in urls. Note the comments in bug 647010 and related bugs discuss that removing the http auth requester could allow silent brute-forcing of passwords; if there are no passwords that's tougher.
Severity: S3 → S4
Whiteboard: [necko-next] → [necko-triaged]
You need to log in
before you can comment on or make changes to this bug.
Description
•