Closed
Bug 151250
Opened 23 years ago
Closed 23 years ago
False warning posting to https site from http site.
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: randy, Assigned: KaiE)
References
()
Details
(Whiteboard: Fixed on trunk)
Attachments
(1 file)
|
1.48 KB,
patch
|
asa
:
approval+
|
Details | Diff | Splinter Review |
If you have a page on a http site that has a form pointing to an https site, the
browser still complains that the traffic is not being encrypted and might be in
the clear.
I am assuming this is a bug unless there is a cache of the values on the http
side page.
|
||
Comment 1•23 years ago
|
||
-> PSM
Build ID ?
Assignee: Matti → ssaux
Component: Browser-General → Client Library
Product: Browser → PSM
QA Contact: imajes-qa → junruh
Version: other → unspecified
|
||
Comment 2•23 years ago
|
||
Works for me. I don't get a warning when logging into yahoo mail.
http://mail.yahoo.com, and it is posting to an https site.
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → WORKSFORME
Hit up URL http://www.911lifelink.com/accept.html click "I accept"
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
|
|
||
Comment 4•23 years ago
|
||
Confirming on trunk Win2000 and Mac OSX. Adding URL and changing summary from
"browser doesn't notice post to https site"
Severity: minor → normal
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 98 → All
Priority: -- → P3
Hardware: PC → All
Summary: browser doesn't notice post to https site → False warning posting to https site from http site.
Version: unspecified → 2.3
|
Assignee | |
Comment 5•23 years ago
|
||
Let's define "formSecure" as the bool indicating whether the page containing the
form is secure or not. The case described in this bug is "formSecure false".
Let's define "actionSecure" as the bool indicating whether the destination URL,
where the form data will be sent to, is secure or not. The case described in
this bug is "actionSecure true".
Here is the current logic as defined by the browser:
actionSecure && formSecure => no warning shown
!actionSecure && formSecure => Warning "Post To Insecure From Secure"
!actionSecure && !formSecure => Warning "Post To Insecure"
actionSecure && !formSecure => Warning "Post To Insecure"
The text of the message clearly says "you are posting TO an insecure page".
Because of that, I would assume the case mentioned in this bug was simply forgotten.
Spontaneously I'm tempted to suggest to change the case
actionSecure && !formSecure => no warning shown
as this bug requests.
But on the other hand, why is mail.yahoo.com already working?
I would like to understand that better and will have a deeper look.
|
|
Assignee | |
Comment 7•23 years ago
|
||
Update on the Yahoo behaviour: It is using a trick. It is not finishing the
submit, but cancels it. Then it uses JavaScript to load the next page, manually
passing on the data entered in the form.
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 8•23 years ago
|
||
With this patch, no warning is shown if the action URL is secure - no matter
the form page is secure or not.
|
|
Assignee | |
Comment 9•23 years ago
|
||
Javi, can you please review?
|
|
Assignee | |
Comment 10•23 years ago
|
||
Updating URL to http://www.kuix.de/misc/test29/
Page can be used to test all combinations.
|
||
Comment 11•23 years ago
|
||
Comment on attachment 91094 [details] [diff] [review]
Patch v1
r=javi
|
|
Assignee | |
Comment 12•23 years ago
|
||
Alec, can you please review?
|
||
Comment 13•23 years ago
|
||
Comment on attachment 91094 [details] [diff] [review]
Patch v1
sr=alecf
good to see ample comments!
|
||
Comment 14•23 years ago
|
||
Comment on attachment 91094 [details] [diff] [review]
Patch v1
a=asa (on behalf of drivers) for checkin to the 1.1 trunk.
Attachment #91094 -
Flags: approval+
|
|
Assignee | |
Comment 15•23 years ago
|
||
Checked in to trunk.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
|
|
||
Updated•23 years ago
|
Whiteboard: Fixed on trunk
|
|
||
Comment 17•23 years ago
|
||
*** Bug 157841 has been marked as a duplicate of this bug. ***
|
|
Assignee | |
Updated•22 years ago
|
Attachment #91094 -
Flags: approval1.0.x?
|
|
Assignee | |
Comment 19•22 years ago
|
||
*** Bug 182179 has been marked as a duplicate of this bug. ***
|
||
Comment 20•22 years ago
|
||
Verified on the branch 2003-02-10-09
Testing latest branch 2002-02-10-09 on Win2000
go to http://www.911lifelink.com/accept.html , select "I Accept" results in the
following security warning dialog: "Security Warning - You have requested an
encrypted page. The web site has identified itself correctly, and information
you see or enter on this page can't easily be read by a third party. [OK]"
This is the expected behavior
|
||
Updated•21 years ago
|
Attachment #91094 -
Flags: approval1.0.x?
|
||
Updated•9 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•