Closed
Bug 1364208
Opened 7 years ago
Closed 7 years ago
Insecure password warning appears for insecure form submit actions on local IP address hosts
Categories
(Firefox :: Security, enhancement, P3)
Firefox
Security
Tracking
()
RESOLVED
FIXED
Firefox 59
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | fixed |
People
(Reporter: johannh, Assigned: johannh)
References
Details
Attachments
(1 file)
We whitelist local IP addresses for showing the insecure password warning but we still flag forms on those pages that have submit actions we consider insecure, i.e everything that is not https:// We should still flag http:// form actions, but forms that just direct to other local pages are probably fine.
| Comment hidden (mozreview-request) |
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → jhofmann
Status: NEW → ASSIGNED
|
||
Comment 2•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8870994 [details] Bug 1364208 - Consider local IP address form actions secure for the insecure password warning. https://reviewboard.mozilla.org/r/142564/#review165006 ::: toolkit/components/passwordmgr/InsecurePasswordUtils.jsm:91 (Diff revision 1) > let principal = gScriptSecurityManager.getCodebasePrincipal(uri); > > if (uri.schemeIs("http")) { > isFormSubmitHTTP = true; > - if (gContentSecurityManager.isOriginPotentiallyTrustworthy(principal)) { > + if (gContentSecurityManager.isOriginPotentiallyTrustworthy(principal) || > + this._isPrincipalForLocalIPAddress(principal)) { Ideally this condition should also check the form is on a local IP otherwise it would be easy for a regular website to prevent our warning by setting their @action to a local IP address and then actually submit the form to a different address using JS to change @action before submission or simply using an XHR instead: ```js (this._isPrincipalForLocalIPAddress(aForm.rootElement.nodePrincipal) && this._isPrincipalForLocalIPAddress(principal)) ```
Attachment #8870994 -
Flags: review?(MattN+bmo)
|
||
Updated•7 years ago
|
Priority: -- → P3
| Comment hidden (mozreview-request) |
|
|
||
Comment 4•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8870994 [details] Bug 1364208 - Consider local IP address form actions secure for the insecure password warning. https://reviewboard.mozilla.org/r/142564/#review210298 Thanks. I wish we had tests for this but this is overdue on getting fixed to address routers so don't block on it. We were not able to use 127.0.0.1 for a mochitest?
Attachment #8870994 -
Flags: review?(MattN+bmo) → review+
|
|
Assignee | |
Comment 5•7 years ago
|
||
(In reply to Matthew N. [:MattN] (PM if requests are blocking you) from comment #4) > Comment on attachment 8870994 [details] > Bug 1364208 - Consider local IP address form actions secure for the insecure > password warning. > > https://reviewboard.mozilla.org/r/142564/#review210298 > > Thanks. I wish we had tests for this but this is overdue on getting fixed to > address routers so don't block on it. We were not able to use 127.0.0.1 for > a mochitest? Thanks for the review! I can't really remember what it was, but there was definitely an issue in retrieving the local address of the mochitest server (I had a whole patch that tried to get it using WebRTC). I asked around back then and nobody was able to help me. So unfortunately that doesn't sound possible. We could open a new bug in the appropriate component to find a way to expose this to us, it could be helpful in the future.
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b53c7903818a Consider local IP address form actions secure for the insecure password warning. r=MattN
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b53c7903818a
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox59:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 59
You need to log in
before you can comment on or make changes to this bug.
Description
•