Posting a form to about:blank results in an "insecure connection" warning

UNCONFIRMED
Unassigned

Status

()

P3
normal
UNCONFIRMED
a year ago
a year ago

People

(Reporter: bmckeever, Unassigned)

Tracking

54 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

I have a login dialog that authenticates over a web service.  In order to trigger the browser to offer to remember the user's credentials, I post the form to about:blank in an iframe.  When the page is loaded over SSL, this results in an insecure channel warning, even though the information is not sent anywhere.  This seems unique to Firefox; IE and Chrome don't complain.

HTML to reproduce:
<!DOCTYPE html>
<html>
<head>
</head>
<body>
<iframe src="about:blank" name="theTarget"></iframe>
<form action="about:blank" method="post" target="theTarget">
<input type="text" name="name"><input type="password" name="password">
<input type="submit" value="login">
</form>
</body>
</html>


Actual results:

The user sees an "insecure connection" warning.  This may be a new warning, I don't remember seeing it come up the last time my feature changed (December 2016).


Expected results:

The user should not see a warning
Component: Untriaged → Security
Product: Firefox → Core
Matt, I'm not sure if this is a Password Manager issue or an implementation problem on the part of the submitter.
Component: Security → Password Manager
Flags: needinfo?(MattN+bmo)
Product: Core → Toolkit
(Reporter)

Comment 2

a year ago
I'd guess not Password Manager, that's only the motivation for the particular setup that triggers the behavior.  I think for some reason "about:blank" is being marked as insecure, and that's the root cause.
(Reporter)

Comment 3

a year ago
Any idea if this is a bug in Firefox or if there is something wrong with the code I've submitted?

Thanks
window.isSecureContext is false on about:blank and that's basically what we use to determine if a form and it's action is secure. The spec seems to say about:blank should be potentially trustworthy so maybe this is a bug in that DOM code: https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy
(Reporter)

Comment 5

a year ago
Interesting find, thanks for looking into it.  FWIW, Chrome seems to also have isSecureContext false on an iframe with src="about:blank" (assuming my test checks the correct thing), but it does allow the POST without a warning.
(Reporter)

Comment 6

a year ago
So do you think this is not a FF bug?  Do you know of another way to trigger the password manager that doesn't also require an additional resource (like loading https://hostname/blank.html into the frame)?  I guess I could experiment with a resource that would already be cached, like favico.
Call event.preventDefault in the 'submit' event listener if you don't want it to actually load the @action
P3 since I think submitting to about:blank is not common.
Flags: needinfo?(MattN+bmo)
Priority: -- → P3

Comment 9

a year ago
I just stumbled upon this problem too.

We have a similar but broader use case. So we have an SPA that has multiple steps with forms which are not submitted to the server. But still we would like the browser to give autocompletion support to the user when he goes through them again. I have not found another solution to "trick" all major browsers into storing entered form data in this case.

So for us it would be nice to see this fixed. Or if someone here has a good solution to this problem I'd be interested.
You need to log in before you can comment on or make changes to this bug.