Closed
Bug 1424847
Opened 7 years ago
Closed 6 years ago
No authorisation prompt displayed when inserting image into email body if image URL requires authentication (take 2: regression TB 59)
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 59.0
People
(Reporter: jorgk-bmo, Assigned: jorgk-bmo)
Details
(Keywords: regression)
Attachments
(1 file)
|
1.22 KB,
patch
|
aceman
:
review+
dragana
:
feedback+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1367191 +++ This was fixed in bug 1367191 but isn't working in TB 59 Daily: Steps to reproduce: 1. Write new email 2. Insert -> Image 3. Paste URL to an image that require authentication (returns HTTP/1.1 401 Unauthorized) For example: http://www.jorgk.com/auth/ausflag.png No auth prompt displayed, instead a broken image is inserted. Alice, can you please find the regression for us.
Flags: needinfo?(alice0775)
|
Assignee | |
Comment 1•7 years ago
|
||
FRG pointed it out, network.auth.subresource-img-cross-origin-http-auth-allow needs to be set to true. That was introduced in bug 1423146.
Flags: needinfo?(alice0775)
|
|
Assignee | |
Comment 2•7 years ago
|
||
Christoph, should we set that preference to "true" by default in TB?
Flags: needinfo?(ckerschb)
|
||
Comment 3•7 years ago
|
||
SeaMonkeys email client is likely affected too.
|
|
Assignee | |
Updated•7 years ago
|
Version: 52 Branch → Trunk
|
|
||
Comment 4•7 years ago
|
||
I can also reproduce the problem on Nightly59.0a1. STR: 1. Open http://www-archive.mozilla.org/editor/midasdemo/ 2. Click Icon of "Insert image" 3. Input http://www.jorgk.com/auth/ausflag.png in dialog box AR: No authorisation prompt displayed ER: Authorisation prompt should display
|
|
||
Updated•7 years ago
|
Product: Thunderbird → Core
Version: Trunk → 59 Branch
|
|
Assignee | |
Comment 5•7 years ago
|
||
As I said in comment #2, this appears to be desired behaviour now and TB can set the pref the other way.
|
|
Assignee | |
Comment 7•7 years ago
|
||
This might also need
pref("network.auth.non-web-content-triggered-resources-http-auth-allow", true);
when bug 1409449 (https://hg.mozilla.org/integration/mozilla-inbound/rev/c31b663b4dd2) gets merged.
Christoph can advise on this as well.
|
||
Comment 8•7 years ago
|
||
(In reply to Jorg K (GMT+1) from comment #2) > Christoph, should we set that preference to "true" by default in TB? I am not sure to be honest. Dragana, what do you think?
Flags: needinfo?(ckerschb) → needinfo?(dd.mozilla)
|
||
Comment 9•6 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #8) > (In reply to Jorg K (GMT+1) from comment #2) > > Christoph, should we set that preference to "true" by default in TB? > > I am not sure to be honest. Dragana, what do you think? We can turn on this for tb. They do not have a phishing effect on tb because there is not address bar and top level document.
Flags: needinfo?(dd.mozilla)
|
|
||
Comment 10•6 years ago
|
||
> We can turn on this for tb.
What should we do in SeaMonkey? It has the Mail backend shared with Thundebird and Gecko as the browser engine? So in the browser this would apply.Flags: needinfo?(dd.mozilla)
|
|
Assignee | |
Comment 11•6 years ago
|
||
Turns out that we need to set network.auth.non-web-content-triggered-resources-http-auth-allow to true as well. Tested with today's local build.
Assignee: nobody → jorgk
Status: NEW → ASSIGNED
Attachment #8936917 -
Flags: review?(acelists)
Attachment #8936917 -
Flags: feedback?(dd.mozilla)
|
|
||
Comment 12•6 years ago
|
||
Comment on attachment 8936917 [details] [diff] [review] 1424847-auth-prompt.patch (v1) Review of attachment 8936917 [details] [diff] [review]: ----------------------------------------------------------------- Works for me, thanks.
Attachment #8936917 -
Flags: review?(acelists) → review+
|
||
Comment 13•6 years ago
|
||
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/c1ce68052c2b set appropriate preferences to allow auth prompt for image insertion. r=aceman
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 14•6 years ago
|
||
I took comment #9 as an f+ from Dragana ;-)
Keywords: regressionwindow-wanted
Target Milestone: --- → Thunderbird 59.0
|
|
||
Updated•6 years ago
|
Flags: needinfo?(dd.mozilla)
Attachment #8936917 -
Flags: feedback?(dd.mozilla) → feedback+
|
|
||
Comment 15•6 years ago
|
||
(In reply to Frank-Rainer Grahl (:frg) from comment #10) > > We can turn on this for tb. > > What should we do in SeaMonkey? It has the Mail backend shared with > Thundebird and Gecko as the browser engine? So in the browser this would > apply. You need 2 different behavior for mail and browser. I do not know if it is possible.
|
||
Comment 16•2 years ago
|
||
Why did you disable inserting images requiring auth in bug 1734142
https://hg.mozilla.org/releases/comm-esr91/rev/ead04f72567a3f690d9ad5218a7e5e2d264cb067
and why didn't you just set one of the prefs (comment #13) to false instead? The feature was originally requested in bug 1367191.
Flags: needinfo?(mkmelin+mozilla)
|
||
Comment 17•2 years ago
|
||
I didn't realize we had those prefs. I'm not convinced that is something we need/should support.
Flags: needinfo?(mkmelin+mozilla)
You need to log in
before you can comment on or make changes to this bug.
Description
•