Basic auth dialogs can be abused for popunders and DoS

RESOLVED DUPLICATE of bug 377496

Status

()

enhancement
RESOLVED DUPLICATE of bug 377496
9 months ago
7 months ago

People

(Reporter: 0xsobky, Unassigned)

Tracking

62 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Note: While this is not a security vulnerability per se, viewing should probably be restricted so that it does not get abused for malicious purposes.

Currently, basic auth dialogs are modal to the main browser window, and they cause the browser window to gain focus. This can easily be abused to create popunder windows:
```
<script>
    function popunder() {
        var popup = window.open('https://jigsaw.w3.org/HTTP/Basic', '', '');
        var popunder = window.open('https://example.com', '', 'width=1, height=1, left=10000, top=10000');
    }
</script>

<button onclick="popunder()">popunder</button>
```

Moreover, by repeatedly (re)loading a URL that requires basic/digest authentication, this could lead to denial of service as the user would be unable to interact with the browser normally due to endless modal dialogs.

I think basic/digest authentication dialogs should be converted to non-modal dialogs instead.
Johann: this is a dupe of known HTTP Auth abuse, right?
Flags: needinfo?(jhofmann)
Yes, dupe and unfortunately well-known and used in the wild...
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Flags: needinfo?(jhofmann)
Resolution: --- → DUPLICATE
Duplicate of bug: 377496
You need to log in before you can comment on or make changes to this bug.