Open
Bug 1316284
Opened 9 years ago
Updated 3 years ago
[enhancement] Ask user if they wants to send SSO credentials to the server which requests them
Categories
(Core :: Networking: HTTP, enhancement, P5)
Core
Networking: HTTP
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox52 | --- | wontfix |
People
(Reporter: jhorak, Unassigned)
Details
(Whiteboard: [necko-would-take])
Attachments
(1 file)
|
3.01 MB,
video/x-matroska
|
phlsa
:
ui-review-
|
Details |
Currently the user is never asked whenever they wants to send credentials when WWW-Authenticate: Negotiate header appears.
Imagine scenario when Firefox is configured as every https:// page is trusted to be send credentials to. There's reasoning to do so, because SSO is believed to be much safer that using username/password. If that's the case, having mechanism to ask user if they really want to send credentials to the specific page is useful.
It could be implemented as another site permission.
|
Reporter | |
Comment 1•9 years ago
|
||
Attached screencast of the feature, please have a look if that's viable.
Attachment #8808974 -
Flags: ui-review?(ux-review)
|
||
Comment 2•9 years ago
|
||
This sounds like a good idea to me.
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8808974 [details]
screencast demo.mkv
(The ux-review alias doesn't really go to anyone, and frequently gets lost. If you actually want a ui-review, you probably shouldn't use it. Redirecting to Philipp, who will probably redirect it to someone more appropriate.)
Attachment #8808974 -
Flags: ui-review?(ux-review) → ui-review?(philipp)
|
||
Updated•9 years ago
|
Whiteboard: [necko-would-take]
|
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8808974 [details]
screencast demo.mkv
Hey there, sorry for the long delay.
I can only comment on the UI here, not on the potential security implications (NI Tanvi for that).
The UI is sound in itself, but also looks quite intrusive to me (popping up on page load and blocking the entire browser). Can we estimate how often this would happen for any given user? What are the circumstances under which a user would see this prompt.
On a more superficial level: is there a reason that this uses different UI than the other permission prompts?
Flags: needinfo?(tanvi)
Attachment #8808974 -
Flags: ui-review?(philipp) → ui-review-
|
|
Reporter | |
Comment 5•9 years ago
|
||
(In reply to (Currently slow to respond) Philipp Sackl [:phlsa] (Firefox UX) please use needinfo from comment #4)
> Comment on attachment 8808974 [details]
> screencast demo.mkv
>
> Hey there, sorry for the long delay.
> I can only comment on the UI here, not on the potential security
> implications (NI Tanvi for that).
>
> The UI is sound in itself, but also looks quite intrusive to me (popping up
> on page load and blocking the entire browser). Can we estimate how often
> this would happen for any given user? What are the circumstances under which
> a user would see this prompt.
User would see the prompt when the page sends www-Authenticate: Negotiate header for the first time he hit the page. Any subsequent communication with GSSAPI is determined by user choose to the dialog. If the permission is set to remember, then the user is never asked again for particular website unless they change the permission to always ask.
> On a more superficial level: is there a reason that this uses different UI
> than the other permission prompts?
I'd love to use permission prompts, but currently is not possible, because page has not yet been loaded so it mInnerWindowID is not initialized which is required by current permissions implementation to show permission popup. Maybe someone could help me with that to fix it. I've discussed it with Christoph Kerschbaumer and we didn't find any way so far.
|
||
Comment 6•8 years ago
|
||
Mass wontfix for bugs affecting firefox 52.
|
||
Comment 7•8 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P5
|
||
Comment 8•8 years ago
|
||
JC, can you take a look at this?
Flags: needinfo?(tanvi) → needinfo?(jcjones)
|
||
Comment 9•8 years ago
|
||
I wonder if using Containers / Contextual Identity is the more right move here than a UI change.
Most of the time Enterprise users do want to have their SSO credentials follow them around. Perhaps we could do something where containers don't provide them, or expose a WebExtensions flag to turn them on/off so that the Containers addon could impose its own toggle on a per-container basis.
It's such a corner case though - and one that I could see administrators wanting to disable - that I don't think I agree we should do UX like that proposed here. For most users I think it'd just be confusing.
Tying it into something like containers would let people who want to have more control get it, though.
Flags: needinfo?(jcjones)
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•