Open Bug 1349739 Opened 7 years ago Updated 2 years ago

The "insecure login" closes after consuming a context menu click on another window


(Firefox :: Security, defect, P5)

52 Branch




(Reporter: allo, Unassigned)


(Blocks 1 open bug)


(Whiteboard: [sec-insecure-third-party-site-reviewed])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20170316213829

Steps to reproduce:

- Visit a Site with an insecure login
- The username field has focus, the notice is shown
- Right click into another window

Actual results:

- the notice is hidden
- no action in the other window

Expected results:

- the notice should stay open
- the context menu of the other window should be opened there

this may be a linux (X11 specific) problem, as the x window system does not allow two (context) menus to be open at the same time.

A good fix would be to use another type of gui element or style it with html.
OS: Unspecified → Linux
Hardware: Unspecified → All
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Component: Password Manager → Security
Product: Toolkit → Firefox
Whiteboard: [sec-insecure-third-party-site-reviewed]
Bug 1217162.
Blocks: 1304224
The warning isn't a context menu… it's a an autocomplete menupopup but I get what you're saying about the click outside.
Summary: the "insecure login" notice should not be a context menu → The "insecure login" closes after consuming a context menu click on another window
The problem using this kind of UI is, that it tries to be a non-modal ui, but it turns out to be modal for the whole desktop, just that it closes when you click anywhere.
The point different from the autocomplete popup before is, that firefox now opens the popup by default to show the warning, while you had to focus the input (and maybe even type something) to get an popup menu before the warning was introduced.

The "do you want to save the password" doorhanger has a similiar problem, even when it's styled in a total different way.
But it still behaves like such an menu, meaning that it for example closes when you click something in another window and prevents focus switching in window managers with "focus follows mouse" (tested with kwin and "activation on mouse contact (mouse preferred)" setting).
Without "focus follows mouse" you have to click twice instead of once to activate another window, so it's quite the same: a passive popup consumes the first click (even outside it's parent window) and closes, while you probably did not want to close it and are wondering why your click didn't work.

I think this should be solved in another way, because its a good idea to have it non-modal, but when it comes to the focus behaviour related to other applications, it is more desktop-modal than an http-auth window, which loses focus when using "focus follows mouse", so other windows can be actived.

On the other hand it would be nice to keep it open, when doing something in another window. Clicking something in the firefox UI may mean "I do not want to interact", but using other windows may mean "I will interact later" (especially with the "save password" doorhanger).
On Mac I can click in other windows and the warning stays visible, but if I click elsewhere in the same page it goes away because the text field has lost focus. Clicking back in the text field brings back the warning. If Linux requires us to close it on loss of focus to another window that seems fine if we bring it back when that field and page have focus again. But even if we don't at least the user saw the warning the first time on that page (and really our main hope is that cumulative warned users push sites to improve their security practice since there's little users can otherwise do except not use that site).
Ever confirmed: true
Priority: -- → P5
I do not really care about the window in firefox. If you like to make it a full page warning. But I do care about the click it consumes. This gives firefox like a modal behaviour, where you first need to cancel something in firefox before you can work with other programs.

Won't the be replaced by a full warning "the page is insecure" soon anyway? I guess this will go into the urlbar and have permanent character without any popup like behaviour.
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.