Open Bug 1435085 Opened 3 years ago Updated 1 year ago
[meta] HTTP Auth security and UI fixes
There have been a number of HTTP Auth bugs recently. Creating this meta bug to help layout what an HTTP Auth Fix Up project may include.
See also the existing whiteboard tag… https://bugzil.la/sw:%22[passwords:http-auth]%22
* Security bugs * HTTP Auth should be tab modal instead of window modal to prevent annoyance (evil traps). * HTTP Auth should be restricted for subresources as much as possible to prevent phishing. * HTTP Auth should perhaps be disabled on HTTP pages. * The HTTP Auth dialog needs to be modernized: ** modern UI ** if a subresource is requesting auth, it needs to be very clear that it is not the top level page ** if HTTP Auth is allowed on an HTTP page, we should show the lock with the strikethrough
Priority: -- → P3
(In reply to Tanvi Vyas[:tanvi] from comment #2) > * HTTP Auth should be restricted for subresources as much as possible to > prevent phishing. bug 647010
Depends on: 647010
Not so much a blocker on bug 1410548, but I want to track this so I can verify any change in behavior.
> * HTTP Auth should perhaps be disabled on HTTP pages. In many dev pages and localhost dev pages, it's a rarity to use HTTPS because the credentials are usually of low value and because it would require either to use and whitelist a self-signed certificate or pay more for the certificate to include the development domains. Even worse, the dev may not have the name registered in a DNS and be accessible by ip only. Given that, it is OK to have HTTP Auth disabled for HTTP page by default but, if done so, I strongly believe that there should be an option for devs to enable HTTP Auth on non-secure connections
You need to log in before you can comment on or make changes to this bug.