No authorisation prompt displayed when inserting image into email body if image URL requires authentication (take 2: regression TB 59)

RESOLVED FIXED in Thunderbird 59.0

Status

defect
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: jorgk, Assigned: jorgk)

Tracking

({regression})

Trunk
Thunderbird 59.0

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

a year ago
+++ This bug was initially created as a clone of Bug #1367191 +++

This was fixed in bug 1367191 but isn't working in TB 59 Daily:

Steps to reproduce:

1. Write new email
2. Insert -> Image
3. Paste URL to an image that require authentication (returns HTTP/1.1 401 Unauthorized)

For example: http://www.jorgk.com/auth/ausflag.png

No auth prompt displayed, instead a broken image is inserted.

Alice, can you please find the regression for us.
Flags: needinfo?(alice0775)
(Assignee)

Comment 1

a year ago
FRG pointed it out, network.auth.subresource-img-cross-origin-http-auth-allow needs to be set to true. That was introduced in bug 1423146.
Flags: needinfo?(alice0775)
(Assignee)

Comment 2

a year ago
Christoph, should we set that preference to "true" by default in TB?
Flags: needinfo?(ckerschb)
SeaMonkeys email client is likely affected too.
(Assignee)

Updated

a year ago
Version: 52 Branch → Trunk

Comment 4

a year ago
I can also reproduce the problem on Nightly59.0a1.

STR:
1. Open http://www-archive.mozilla.org/editor/midasdemo/
2. Click Icon of "Insert image"
3. Input http://www.jorgk.com/auth/ausflag.png in dialog box

AR:
No authorisation prompt displayed

ER:
Authorisation prompt should display

Updated

a year ago
Component: Security → Security
Product: Thunderbird → Core
Version: Trunk → 59 Branch
(Assignee)

Comment 5

a year ago
As I said in comment #2, this appears to be desired behaviour now and TB can set the pref the other way.

Comment 6

a year ago
sorry, reset product.
Component: Security → Security
Product: Core → Thunderbird
Version: 59 Branch → Trunk
(Assignee)

Comment 7

a year ago
This might also need
  pref("network.auth.non-web-content-triggered-resources-http-auth-allow", true);
when bug 1409449 (https://hg.mozilla.org/integration/mozilla-inbound/rev/c31b663b4dd2) gets merged.

Christoph can advise on this as well.
(In reply to Jorg K (GMT+1) from comment #2)
> Christoph, should we set that preference to "true" by default in TB?

I am not sure to be honest. Dragana, what do you think?
Flags: needinfo?(ckerschb) → needinfo?(dd.mozilla)
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #8)
> (In reply to Jorg K (GMT+1) from comment #2)
> > Christoph, should we set that preference to "true" by default in TB?
> 
> I am not sure to be honest. Dragana, what do you think?

We can turn on this for tb. They do not have a phishing effect on tb because there is not address bar and top level document.
Flags: needinfo?(dd.mozilla)
> We can turn on this for tb.

What should we do in SeaMonkey? It has the Mail backend shared with Thundebird and Gecko as the browser engine? So in the browser this would apply.
Flags: needinfo?(dd.mozilla)
(Assignee)

Comment 11

a year ago
Turns out that we need to set network.auth.non-web-content-triggered-resources-http-auth-allow to true as well. Tested with today's local build.
Assignee: nobody → jorgk
Status: NEW → ASSIGNED
Attachment #8936917 - Flags: review?(acelists)
Attachment #8936917 - Flags: feedback?(dd.mozilla)

Comment 12

a year ago
Comment on attachment 8936917 [details] [diff] [review]
1424847-auth-prompt.patch (v1)

Review of attachment 8936917 [details] [diff] [review]:
-----------------------------------------------------------------

Works for me, thanks.
Attachment #8936917 - Flags: review?(acelists) → review+

Comment 13

a year ago
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/c1ce68052c2b
set appropriate preferences to allow auth prompt for image insertion. r=aceman
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
(Assignee)

Comment 14

a year ago
I took comment #9 as an f+ from Dragana ;-)
Target Milestone: --- → Thunderbird 59.0
Flags: needinfo?(dd.mozilla)
Attachment #8936917 - Flags: feedback?(dd.mozilla) → feedback+
(In reply to Frank-Rainer Grahl (:frg) from comment #10)
> > We can turn on this for tb.
> 
> What should we do in SeaMonkey? It has the Mail backend shared with
> Thundebird and Gecko as the browser engine? So in the browser this would
> apply.

You need 2 different behavior for mail and browser. I do not know if it is possible.
You need to log in before you can comment on or make changes to this bug.