Closed Bug 1498217 Opened 6 years ago Closed 6 years ago

Basic auth dialogs can be abused for popunders and DoS

Categories

(Firefox :: General, enhancement)

Product:
Firefox
Component:
General
Version:
62 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 377496

People

(Reporter: 0xsobky, Unassigned)

Details

Note: While this is not a security vulnerability per se, viewing should probably be restricted so that it does not get abused for malicious purposes.

Currently, basic auth dialogs are modal to the main browser window, and they cause the browser window to gain focus. This can easily be abused to create popunder windows:
```
<script>
    function popunder() {
        var popup = window.open('https://jigsaw.w3.org/HTTP/Basic', '', '');
        var popunder = window.open('https://example.com', '', 'width=1, height=1, left=10000, top=10000');
    }
</script>

<button onclick="popunder()">popunder</button>
```

Moreover, by repeatedly (re)loading a URL that requires basic/digest authentication, this could lead to denial of service as the user would be unable to interact with the browser normally due to endless modal dialogs.

I think basic/digest authentication dialogs should be converted to non-modal dialogs instead.
Johann: this is a dupe of known HTTP Auth abuse, right?
Flags: needinfo?(jhofmann)
Yes, dupe and unfortunately well-known and used in the wild...
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jhofmann)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.