Closed
Bug 1423146
Opened 4 years ago
Closed 4 years ago
Do not allow an auth prompt requested by an image resource loaded from cross-origin
Categories
(Core :: Networking: HTTP, enhancement, P3)
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | fixed |
People
(Reporter: dragana, Assigned: dragana)
References
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [necko-triaged])
Attachments
(1 file)
|
1.46 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
We only need to change pref.
|
Assignee | |
Comment 1•4 years ago
|
||
Chrome already have this as default(bug 647010 comment 87) so I do not expect that we will break something.
|
|
Assignee | |
Comment 2•4 years ago
|
||
Attachment #8934471 -
Flags: review?(ckerschb)
|
|
Assignee | |
Comment 3•4 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=4a10f8ec00782460b6a28a57dba36bae1ccca96a
|
||
Updated•4 years ago
|
Attachment #8934471 -
Flags: review?(ckerschb) → review+
|
|
Assignee | |
Comment 5•4 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4) > Do we need an intent-to-ship for this? I will write one, although Chrome already implement this.
|
||
Updated•4 years ago
|
Keywords: dev-doc-needed,
site-compat
|
||
Updated•4 years ago
|
Priority: -- → P3
Whiteboard: [necko-triaged]
Pushed by dd.mozilla@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1a59ea77d44f Change a pref so that an auth prompt requested by an image resource loaded from cross-originis not allowed. r=ckerschb
|
|
||
Comment 7•4 years ago
|
||
Posted the site compatibility note: https://www.fxsitecompat.com/en-CA/docs/2017/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-images/
|
||
Comment 8•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/1a59ea77d44f
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Comment 9•3 years ago
|
||
I've documented this on MDN: * Added a note to the Fx59 rel notes: https://developer.mozilla.org/en-US/Firefox/Releases/59#Security * Added a small section to the HTTP authentication page: https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#Authentication_of_cross-origin_images Let me know if this is OK. Thanks!
Flags: needinfo?(dd.mozilla)
Keywords: dev-doc-needed → dev-doc-complete
|
|
Assignee | |
Comment 10•3 years ago
|
||
(In reply to Chris Mills (Mozilla, MDN editor) [:cmills] from comment #9) > I've documented this on MDN: > > * Added a note to the Fx59 rel notes: > https://developer.mozilla.org/en-US/Firefox/Releases/59#Security > > * Added a small section to the HTTP authentication page: > https://developer.mozilla.org/en-US/docs/Web/HTTP/ > Authentication#Authentication_of_cross-origin_images > > Let me know if this is OK. Thanks! Looks good. Thanks.
Flags: needinfo?(dd.mozilla)
|
||
Comment 11•3 years ago
|
||
Hello! This bug is just the same as my Bug 647010, which I informed Mozilla about in March 2011. This is vulnerability in all browsers, which support Basic/Digest Authentication, as I wrote in my entry. So a lot of web browsers are vulnerable, not only Firefox. I called this attack as Onsite phishing (or Inline phishing). It can be used (including by phishers) for stealing of logins and passwords of users of web sites.
|
||
Updated•1 year ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•