Closed Bug 1331224 Opened 8 years ago Closed 8 years ago

Spurious insecure password warning on Bugzilla

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1329940
Tracking Flags:
Tracking Status
firefox53 --- affected

People

(Reporter: ekr, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

Attachments

(1 file, 1 obsolete file)

Screen Shot 2017-01-14 at 5.36.16 PM.png
646.73 KB, image/png
Details
Attached image Screen Shot 2017-01-14 at 5.34.19 PM.png (obsolete) —
No description provided.
Attachment #8826893 - Attachment is obsolete: true
P.S. This was Nightly
From the screenshot I can see you were on enter_bug.cgi, what linked you to this page? If it was an insecure site then window.opener could have been insecure and this would be a dupe of bug 1329940.
Blocks: 1304224
URL: https://bugzilla.mozilla.org/enter_bu...
Component: Untriaged → Password Manager
Flags: needinfo?(ekr)
Product: Firefox → Toolkit
See Also: → 1329940
I went to b.m.o and clicked "new". Unfortunately, I can't repro it.
Flags: needinfo?(ekr)
I don't know why bugzilla.mozilla.org wouldn't be a secure context, but given this intermittent bug and others, I think we should switch to a more naive approach (isOriginPotentiallyTrustworthy) instead of using isSecureContext. See bug https://bugzilla.mozilla.org/show_bug.cgi?id=1329940. We can use isSecureContext in Nightly and debug issues and reports that come up there, until we are satisfied enough to use it in release.
(In reply to Tanvi Vyas - behind on bugmail [:tanvi] from comment #5) > I don't know why bugzilla.mozilla.org wouldn't be a secure context, but > given this intermittent bug and others, I think we should switch to a more > naive approach (isOriginPotentiallyTrustworthy) instead of using > isSecureContext. See bug > https://bugzilla.mozilla.org/show_bug.cgi?id=1329940. We can use > isSecureContext in Nightly and debug issues and reports that come up there, > until we are satisfied enough to use it in release. I don't have any reason to think this isn't caused by window.opener and therefore a dupe of bug 1329940. When the problem occurs we need to see the web console output for window.opener. In case you didn't know window.opener persists across top-level cross-origin loads so likely the tab in the screenshot was originally opened from an insecure context.
Duping to bug 1329940. Re-open if you can show that window.opener in your web console is secure.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: