When a http form is injected via JavaScript the padlock doesn't change to broken

NEW
Unassigned

Status

()

Toolkit
Password Manager
P3
normal
a year ago
11 months ago

People

(Reporter: jkt, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxprivacy])

(Reporter)

Description

a year ago
STR:

1. Go to: mozilla.com
2. Open the developer console and submit:
let form = document.createElement('form'); form.setAttribute("action","http://example.com"); form.innerHTML = "<input type=\"password\"/>"; document.body.appendChild(form);

The console warns with:
Password fields present in a form with an insecure (http://) form action. This is a security risk that allows user login credentials to be stolen.

However the insecurePassword padlock isn't present in the URL bar like it is for: http://http-dynamic-login.badssl.com/

However going to: http://http-credit-card.badssl.com/ (which currently doesn't break the padlock and changing a text field in the inspector to a password breaks the padlock)
(Reporter)

Comment 1

a year ago
Interestingly this works in a content script in an extension (which was my initial use-case) perhaps there is a race condition causing the padlock not to be broken after load? Even with a setTimeout the extension still works though.
Jonathan: who implemented the UI for this? we should needinfo or assign to that person but it sounds more front-end than backend "DOM Security".
Flags: needinfo?(jkt)
(Reporter)

Updated

a year ago
Component: DOM: Security → Security
Flags: needinfo?(jkt) → needinfo?(paolo.mozmail)
Product: Core → Firefox

Comment 3

a year ago
This bug probably needs to be moved to the right front-end component.
Flags: needinfo?(paolo.mozmail)
Flags: needinfo?(jhofmann)
Flags: needinfo?(MattN+bmo)
I think this is Password Manager :)
Component: Security → Password Manager
Flags: needinfo?(jhofmann)
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit
Whiteboard: [fxprivacy] [triage]
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
(Reporter)

Comment 5

a year ago
:MattN asked if the field had an in context warning on the password field... I can confirm that it does. This may reduce the priority.
Priority: P3 → --
Whiteboard: [fxprivacy] → [fxprivacy] [triage]

Updated

11 months ago
Priority: -- → P4
Whiteboard: [fxprivacy] [triage] → [fxprivacy]

Comment 6

11 months ago
Back to P3.
Priority: P4 → P3
You need to log in before you can comment on or make changes to this bug.