Open
Bug 1435085
Opened 6 years ago
Updated 2 years ago
[meta] HTTP Auth security and UI fixes
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: tanvi, Unassigned)
References
(Depends on 2 open bugs, Blocks 1 open bug)
Details
(Keywords: meta, Whiteboard: [domsecurity-meta])
There have been a number of HTTP Auth bugs recently. Creating this meta bug to help layout what an HTTP Auth Fix Up project may include.
|
Reporter | |
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
See also the existing whiteboard tag… https://bugzil.la/sw:%22[passwords:http-auth]%22
|
|
Reporter | |
Comment 2•6 years ago
|
||
* Security bugs * HTTP Auth should be tab modal instead of window modal to prevent annoyance (evil traps). * HTTP Auth should be restricted for subresources as much as possible to prevent phishing. * HTTP Auth should perhaps be disabled on HTTP pages. * The HTTP Auth dialog needs to be modernized: ** modern UI ** if a subresource is requesting auth, it needs to be very clear that it is not the top level page ** if HTTP Auth is allowed on an HTTP page, we should show the lock with the strikethrough
|
||
Updated•6 years ago
|
Priority: -- → P3
Whiteboard: [domsecurity-meta]
|
|
||
Comment 3•6 years ago
|
||
(In reply to Tanvi Vyas[:tanvi] from comment #2) > * HTTP Auth should be restricted for subresources as much as possible to > prevent phishing. bug 647010
Depends on: 647010
|
||
Comment 4•6 years ago
|
||
Not so much a blocker on bug 1410548, but I want to track this so I can verify any change in behavior.
Blocks: 1410548
> * HTTP Auth should perhaps be disabled on HTTP pages.
In many dev pages and localhost dev pages, it's a rarity to use HTTPS because the credentials are usually of low value and because it would require either to use and whitelist a self-signed certificate or pay more for the certificate to include the development domains. Even worse, the dev may not have the name registered in a DNS and be accessible by ip only.
Given that, it is OK to have HTTP Auth disabled for HTTP page by default but, if done so, I strongly believe that there should be an option for devs to enable HTTP Auth on non-secure connections
Flags: sec-bounty?
Flags: in-testsuite-
Flags: in-qa-testsuite-
Flags: behind-pref-
Flags: a11y-review-
?????
tracking-firefox-esr60:
--- → ?
tracking-thunderbird_esr52:
--- → ?
tracking-thunderbird_esr60:
--- → ?
Flags: needinfo?(ckerschb)
|
||
Updated•6 years ago
|
tracking-firefox-esr60:
? → ---
tracking-thunderbird_esr52:
? → ---
tracking-thunderbird_esr60:
? → ---
Flags: sec-bounty?
Flags: needinfo?(ckerschb)
Flags: in-testsuite-
Flags: in-qa-testsuite-
Flags: behind-pref-
Flags: a11y-review-
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•