Open
Bug 1364080
Opened 8 years ago
Updated 3 years ago
Insecure password warning appears inside iframes on pages with top-level local IP address hosts
Categories
(Firefox :: Security, enhancement, P3)
Firefox
Security
Tracking
()
NEW
People
(Reporter: johannh, Unassigned)
References
Details
We whitelist pages with local IP addresses as hostnames (and locally hosted iframes embedded in the page) when showing the insecure password warning. We might also want to consider not showing the warning for any non-local iframes on the page (we currently show the warning even if the iframe is HTTPS, which is really nonsensical).
Since we get the secure status from "isSecureContextIfOpenerIsIgnored" it would probably be technically much easier to allow both HTTP and HTTPS iframes, but allowing only HTTPS iframes could be more practical to drive HTTPS adoption, as there's no reason the domain owner shouldn't get a certificate.
|
||
Comment 1•8 years ago
|
||
Can you include a testcase/example to make this more clear?
|
Reporter | |
Comment 2•8 years ago
|
||
Serve this on a local server and open it via a local IP address:
<html>
<head></head>
<body>
<iframe src="https://jsfiddle.net/945yrLe7/1/embedded/result/"></iframe>
</body>
</html>
|
||
Updated•8 years ago
|
Priority: -- → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•