Closed
Bug 1333687
Opened 7 years ago
Closed 7 years ago
Insecure-login-form UI appears incorrectly, in secure tab spawned from insecure page (at wedsure.com)
Categories
(Firefox :: Security, defect)
Firefox
Security
Tracking
()
VERIFIED
DUPLICATE
of bug 1329940
People
(Reporter: dholbert, Unassigned)
References
()
Details
Attachments
(2 files)
screenshot of bug (at step 3, with insecure form UI & EV-site-identiy shown simultaneously)
STR: 1. Visit http://www.wedsure.com/ (note: HTTP) 2. Click "Sign in" at top right of page --> A new tab gets opened, at https://service.rvnuccio.com/admin/auth/login (note: this new tab is HTTPS) 3. Click the username field, and see what happens. Click the site identity button (at left of URL bar), and see what happens. 4. OPTIONAL: Manually open a new tab at the same URL, and repeat step 3 in that new tab for comparison. ACTUAL RESULTS: - In step 3 (in the auto-spawned tab), we show the insecure-form UI (with green external-validation UI alongside it). In step 4 (in the manually opened tab), we do not show any insecure form UI. EXPECTED RESULTS: Steps 3 and 4 should produce consistent results. They should both show no insecure form UI. In particular, in step 3: * When I click the username field, I see the insecure-form warning dropdown ("This connection is not secure"). This is extremely confusing because we're showing the green external-validation UI in the URL bar. * When I click the site identity button, its dropdown has a lock with a slash through it, plus "Secure connection", plus "Logins entered on this page could be compromised". (In other words, the UI is self-contradictory.)
|
Reporter | |
Updated•7 years ago
|
Flags: needinfo?(tanvi)
|
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
|
|
Reporter | |
Comment 3•7 years ago
|
||
BTW, the wrapping <form> element here is pointing at a secure URL, too, AFAICT -- it looks like this: <form class="form-signin" method="post" action="/admin/auth/signIn" autocomplete="off" id="rvnaSigninForm" name="rvnaSigninForm" novalidate="novalidate"> Since this is an HTTPS (with EV) page, then relative URLs like "/admin/auth/signIn" can be assumed to also be secure. So, AFAICT, there's no reason for the "Logins entered here could be compromised" UI.
|
||
Comment 4•7 years ago
|
||
Thanks for including the precise STR. This is happening because window.opener points to an insecure page. See bug 1329940 for more info (we're working on it).
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(tanvi)
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 5•7 years ago
|
||
The form fields seem to be fixed now, via duplicate-target bug 1329940. Marking as VERIFIED dupe. I spun off bug 1334201 for the Site Identity doorhanger issue here, which is not yet fixed. I'm using latest Nightly 54.0a1 (2017-01-26) (64-bit)
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•