Spurious insecure password warning on Bugzilla

RESOLVED DUPLICATE of bug 1329940

Status

()

Toolkit
Password Manager
RESOLVED DUPLICATE of bug 1329940
11 months ago
11 months ago

People

(Reporter: ekr, Unassigned)

Tracking

(Blocks: 1 bug)

Trunk
Points:
---

Firefox Tracking Flags

(firefox53 affected)

Details

(URL)

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

11 months ago
Created attachment 8826893 [details]
Screen Shot 2017-01-14 at 5.34.19 PM.png
(Reporter)

Comment 1

11 months ago
Created attachment 8826894 [details]
Screen Shot 2017-01-14 at 5.36.16 PM.png
Attachment #8826893 - Attachment is obsolete: true
(Reporter)

Comment 2

11 months ago
P.S. This was Nightly
From the screenshot I can see you were on enter_bug.cgi, what linked you to this page? If it was an insecure site then window.opener could have been insecure and this would be a dupe of bug 1329940.
Blocks: 1304224
Component: Untriaged → Password Manager
Flags: needinfo?(ekr)
Product: Firefox → Toolkit
See Also: → bug 1329940
(Reporter)

Comment 4

11 months ago
I went to b.m.o and clicked "new".

Unfortunately, I can't repro it.
Flags: needinfo?(ekr)

Comment 5

11 months ago
I don't know why bugzilla.mozilla.org wouldn't be a secure context, but given this intermittent bug and others, I think we should switch to a more naive approach (isOriginPotentiallyTrustworthy) instead of using isSecureContext.  See bug https://bugzilla.mozilla.org/show_bug.cgi?id=1329940.  We can use isSecureContext in Nightly and debug issues and reports that come up there, until we are satisfied enough to use it in release.
(In reply to Tanvi Vyas - behind on bugmail [:tanvi] from comment #5)
> I don't know why bugzilla.mozilla.org wouldn't be a secure context, but
> given this intermittent bug and others, I think we should switch to a more
> naive approach (isOriginPotentiallyTrustworthy) instead of using
> isSecureContext.  See bug
> https://bugzilla.mozilla.org/show_bug.cgi?id=1329940.  We can use
> isSecureContext in Nightly and debug issues and reports that come up there,
> until we are satisfied enough to use it in release.

I don't have any reason to think this isn't caused by window.opener and therefore a dupe of bug 1329940. When the problem occurs we need to see the web console output for window.opener. In case you didn't know window.opener persists across top-level cross-origin loads so likely the tab in the screenshot was originally opened from an insecure context.
Duping to bug 1329940. Re-open if you can show that window.opener in your web console is secure.
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1329940
You need to log in before you can comment on or make changes to this bug.