Closed Bug 1423146 Opened 7 years ago Closed 7 years ago

Do not allow an auth prompt requested by an image resource loaded from cross-origin

Categories

(Core :: Networking: HTTP, enhancement, P3)

59 Branch
enhancement

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox59 --- fixed

People

(Reporter: dragana, Assigned: dragana)

References

Details

(Keywords: dev-doc-complete, site-compat, Whiteboard: [necko-triaged])

Attachments

(1 file)

We only need to change  pref.
Chrome already have this as default(bug 647010 comment 87) so I do not expect that we will break something.
Attachment #8934471 - Flags: review?(ckerschb)
Do we need an intent-to-ship for this?
Depends on: 1357835
Attachment #8934471 - Flags: review?(ckerschb) → review+
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)
> Do we need an intent-to-ship for this?

I will write one, although Chrome already implement this.
Priority: -- → P3
Whiteboard: [necko-triaged]
Pushed by dd.mozilla@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1a59ea77d44f
Change a pref so that an auth prompt requested by an image resource loaded from cross-originis not allowed. r=ckerschb
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-images/
https://hg.mozilla.org/mozilla-central/rev/1a59ea77d44f
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
I've documented this on MDN:

* Added a note to the Fx59 rel notes:
https://developer.mozilla.org/en-US/Firefox/Releases/59#Security

* Added a small section to the HTTP authentication page:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Authentication_of_cross-origin_images

Let me know if this is OK. Thanks!
Flags: needinfo?(dd.mozilla)
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #9)
> I've documented this on MDN:
> 
> * Added a note to the Fx59 rel notes:
> https://developer.mozilla.org/en-US/Firefox/Releases/59#Security
> 
> * Added a small section to the HTTP authentication page:
> https://developer.mozilla.org/en-US/docs/Web/HTTP/
> Authentication#Authentication_of_cross-origin_images
> 
> Let me know if this is OK. Thanks!

Looks good. Thanks.
Flags: needinfo?(dd.mozilla)
Hello!

This bug is just the same as my Bug 647010, which I informed Mozilla about in March 2011. This is vulnerability in all browsers, which support Basic/Digest Authentication, as I wrote in my entry. So a lot of web browsers are vulnerable, not only Firefox.

I called this attack as Onsite phishing (or Inline phishing). It can be used (including by phishers) for stealing of logins and passwords of users of web sites.
See Also: → 647010
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: