[meta] HTTP Auth security and UI fixes

NEW
Unassigned

Status

()

enhancement
P3
normal
2 years ago
4 months ago

People

(Reporter: tanvi, Unassigned)

Tracking

(Depends on 5 bugs, Blocks 1 bug, {meta})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-meta])

There have been a number of HTTP Auth bugs recently.  Creating this meta bug to help layout what an HTTP Auth Fix Up project may include.
Depends on: 377496, 613785, 1357835
* Security bugs

* HTTP Auth should be tab modal instead of window modal to prevent annoyance (evil traps).

* HTTP Auth should be restricted for subresources as much as possible to prevent phishing.

* HTTP Auth should perhaps be disabled on HTTP pages.

* The HTTP Auth dialog needs to be modernized:
** modern UI
** if a subresource is requesting auth, it needs to be very clear that it is not the top level page
** if HTTP Auth is allowed on an HTTP page, we should show the lock with the strikethrough
Priority: -- → P3
Whiteboard: [domsecurity-meta]
(In reply to Tanvi Vyas[:tanvi] from comment #2)
> * HTTP Auth should be restricted for subresources as much as possible to
> prevent phishing.

bug 647010
Depends on: 647010
Not so much a blocker on bug 1410548, but I want to track this so I can verify any change in behavior.
Blocks: 1410548
> * HTTP Auth should perhaps be disabled on HTTP pages.

In many dev pages and localhost dev pages, it's a rarity to use HTTPS because the credentials are usually of low value and because it would require either to use and whitelist a self-signed certificate or pay more for the certificate to include the development domains. Even worse, the dev may not have the name registered in a DNS and be accessible by ip only.

Given that, it is OK to have HTTP Auth disabled for HTTP page by default but, if done so, I strongly believe that there should be an option for devs to enable HTTP Auth on non-secure connections
Flags: sec-bounty?
Flags: in-testsuite-
Flags: in-qa-testsuite-
Flags: behind-pref-
Flags: a11y-review-
Flags: sec-bounty?
Flags: needinfo?(ckerschb)
Flags: in-testsuite-
Flags: in-qa-testsuite-
Flags: behind-pref-
Flags: a11y-review-
You need to log in before you can comment on or make changes to this bug.