Do not allow an auth prompt requested by an image resource loaded from cross-origin
RESOLVED
FIXED
in Firefox 59
Status
()
People
(Reporter: dragana, Assigned: dragana)
Tracking
({dev-doc-complete, site-compat})
Firefox Tracking Flags
(firefox59 fixed)
Details
(Whiteboard: [necko-triaged])
Attachments
(1 attachment)
|
1.46 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
We only need to change pref.
|
Assignee | |
Comment 1•2 years ago
|
||
Chrome already have this as default(bug 647010 comment 87) so I do not expect that we will break something.
|
|
Assignee | |
Comment 2•2 years ago
|
||
Attachment #8934471 -
Flags: review?(ckerschb)
|
|
Assignee | |
Comment 3•2 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=4a10f8ec00782460b6a28a57dba36bae1ccca96a
|
||
Updated•2 years ago
|
Attachment #8934471 -
Flags: review?(ckerschb) → review+
|
|
Assignee | |
Comment 5•2 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4) > Do we need an intent-to-ship for this? I will write one, although Chrome already implement this.
|
||
Updated•2 years ago
|
Keywords: dev-doc-needed,
site-compat
|
||
Updated•2 years ago
|
Priority: -- → P3
Whiteboard: [necko-triaged]
Pushed by dd.mozilla@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1a59ea77d44f Change a pref so that an auth prompt requested by an image resource loaded from cross-originis not allowed. r=ckerschb
|
|
||
Comment 7•2 years ago
|
||
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-images/
|
||
Comment 8•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1a59ea77d44f
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Comment 9•2 years ago
|
||
I've documented this on MDN: * Added a note to the Fx59 rel notes: https://developer.mozilla.org/en-US/Firefox/Releases/59#Security * Added a small section to the HTTP authentication page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Authentication_of_cross-origin_images Let me know if this is OK. Thanks!
Flags: needinfo?(dd.mozilla)
Keywords: dev-doc-needed → dev-doc-complete
|
|
Assignee | |
Comment 10•Last year
|
||
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #9) > I've documented this on MDN: > > * Added a note to the Fx59 rel notes: > https://developer.mozilla.org/en-US/Firefox/Releases/59#Security > > * Added a small section to the HTTP authentication page: > https://developer.mozilla.org/en-US/docs/Web/HTTP/ > Authentication#Authentication_of_cross-origin_images > > Let me know if this is OK. Thanks! Looks good. Thanks.
Flags: needinfo?(dd.mozilla)
|
||
Comment 11•Last year
|
||
Hello! This bug is just the same as my Bug 647010, which I informed Mozilla about in March 2011. This is vulnerability in all browsers, which support Basic/Digest Authentication, as I wrote in my entry. So a lot of web browsers are vulnerable, not only Firefox. I called this attack as Onsite phishing (or Inline phishing). It can be used (including by phishers) for stealing of logins and passwords of users of web sites.
You need to log in
before you can comment on or make changes to this bug.
Description
•