Closed Bug 1321785 Opened 7 years ago Closed 7 years ago

A site can reissue infinite background requests leading to HTTP authentication requests, causing infinite "Authentication Required" popups that block the entire browser and make it impossible to close the tab

Categories

(Firefox :: Untriaged, defect)

52 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1312243

People

(Reporter: u580221, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20161124004020

Steps to reproduce:

A site can reissue infinite requests leading to a HTTP authentication request, causing infinite "Authentication Required" popups that block the entire browser and make it impossible to close the tab.

I have discovered this by accident with an etherpad instance (which is a collaborative text editor that will aggressively try to re-establish connection) on a server that requires HTTP authentication where my credentials no longer work - it basically turned my browser unusable and I just had enough time to close the affected tab in between the repeated prompts if I hurried up, but a malicious site could easily use a faster interval.

The solution is obvious: the HTTP authentication prompt must be modal to the site content only and must not block interaction with the tab bar to close the potentially malicious site as it is the case now.
Summary: A site can reissue infinite requests leading to a HTTP authentication request, causing infinite "Authentication Required" popups that block the entire browser and make it impossible to close the tab → A site can reissue infinite background requests leading to a HTTP authentication request, causing infinite "Authentication Required" popups that block the entire browser and make it impossible to close the tab
Summary: A site can reissue infinite background requests leading to a HTTP authentication request, causing infinite "Authentication Required" popups that block the entire browser and make it impossible to close the tab → A site can reissue infinite background requests leading to HTTP authentication requests, causing infinite "Authentication Required" popups that block the entire browser and make it impossible to close the tab
This is probably related to #411085 but I think it should be recognized that this is a real denial of service vulnerability, not just some UI overhaul problem.
We're aware of this type of issue and are working on it (separately from converting http modal auth things to be tab-modal, which is more difficult).
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Making the dialogs tab modal is bug 613785.
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.