Closed Bug 1354549 Opened 7 years ago Closed 7 years ago

Connection is not secure in cross domain forms posting to SSL sites

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: marc.bau, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170316213829

Steps to reproduce:

We have a website that has a form embedded. The form target URL is HTTPS://, but the website itself is on HTTP. This was intentionally done in past and is not wrong.

The error is incorrect and need to be removed.

<form id="foo" action="https://www.example.com/login" method="post" class="form">
  <div class="form-group">
    <label for="email">E-Mail</label>
    <input id="email" name="email" value="" type="text">
  </div>
  <div>
    <label for="pwd">Password</label>
    <input id="pwd" name="password" value="" type="password">
  </div>
</form>


Do not suggest to switch the site to SSL, please. This is a bug. Chrome 57 does not show an error. They are doing it correctly.


Actual results:

A warning is shown on the fields and inside the URL that the form is insecure, but it is not insecure.


Expected results:

No warning if the form post goes to an SSL URL.
Hi Marc,

(In reply to Marc Bauer from comment #0)
> We have a website that has a form embedded. The form target URL is HTTPS://,
> but the website itself is on HTTP. This was intentionally done in past and
> is not wrong.

That's your opinion and doesn't align with the views I see from security experts.

> The error is incorrect and need to be removed.
> 
> <form id="foo" action="https://www.example.com/login" method="post"
> class="form">
>   <div class="form-group">
>     <label for="email">E-Mail</label>
>     <input id="email" name="email" value="" type="text">
>   </div>
>   <div>
>     <label for="pwd">Password</label>
>     <input id="pwd" name="password" value="" type="password">
>   </div>
> </form>
> 
> 
> Do not suggest to switch the site to SSL, please. This is a bug. Chrome 57
> does not show an error. 

This is not a bug, it is intentional as the action being https means nothing if I can man-in-the-middle the form page load itself (since it's HTTP) and replace the whole page or change the form action to evil.com. I can also inject JS into the insecure page and steal the typed password regardless of the what the @action says.

See https://www.troyhunt.com/your-login-form-posts-to-https-but-you/ for more reading.

> They are doing it correctly.

I would consider this a bug in Chrome but I actually suspect it's known and perhaps they are more gradually rolling this out, initially ignoring @action.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Component: Untriaged → Security
Resolution: --- → INVALID
> Do not suggest to switch the site to SSL, please. This is a bug. Chrome 57
> does not show an error. They are doing it correctly.

Chrome is going to start flagging websites as "not secure" in 62 as soon as a user types anything into a field on a website that's using HTTP. As mentioned in the blog [1]:

"Passwords and credit cards are not the only types of data that should be private. Any type of data that users type into websites should not be accessible to others on the network, so starting in version 62 Chrome will show the “Not secure” warning when users type data into HTTP sites."

[1] https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html
You need to log in before you can comment on or make changes to this bug.