reproducible: have not tried yet. 1) Go to some https page 2) Go to password-protected http url Expected: security warning pops up before anything interesting happens. Actual: password dialog is shown first, only afterwards Mozilla warns me that the password was just transmitted in the clear... BuildId 2002032109 on RedHat Linux 7.2
Let's try that again...
interesting bug... it probably means that whoever is issuing those warnings isn't doing it until HTTP sends out an OnStartRequest.... seems like they should do it once a non-HTTPS URL is requested. i'm not sure who owns that dialog... -> docshell (perhaps?)
In Netscape 4 the warning dlg used to appear before the insecure page starts loading. In Mozilla it seems that it only appears when the insecure page finishes loading.
cc'ing some security folks... they'd know where these dialogs hook in and would probably want to own this bug.
We need to fix 62178, and this issue will then be fixed, too. Allowing people to cancel the request also means, that the future warning will fire up early enough in the process, to guarantee that the warning will be shown before any data gets transferred. The current behaviour of the security warnings is doing it very late. It reacts on page load progress events, which are sent out after the transfer has started. *** This bug has been marked as a duplicate of 62178 ***