Deal with InsecurePasswordUtils.isFormSecure() for Fission (don't show mixed content warnings on local network pages e.g. routers/intranets)
Categories
(Toolkit :: Password Manager, task, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox86 | --- | fixed |
People
(Reporter: enndeakin, Assigned: dimi)
References
()
Details
Attachments
(3 files)
This function determines if the current frame has a local IP address and if the top-level window has a local IP address. If so, the page is considered safe, so mixed content warnings do not appear for those running local network pages and password/form fillin can occur.
With fission enabled, the top-level page cannot be accessed.
Either:
- Have some state available on the global that indicates that marks the top-level window as a local ip
- Rewrite code to ask the parent for this information
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
This bug doesn't look like a Fission blocker if it is just about not showing mixed content warnings for localhost content. If this is a higher priority issue, just let me know!
|
|
||
Comment 2•5 years ago
•
|
||
(In reply to Chris Peterson [:cpeterson] from comment #1)
This bug doesn't look like a Fission blocker if it is just about not showing mixed content warnings for localhost content. If this is a higher priority issue, just let me know!
This bug isn't about localhost, it's about private IP address ranges (10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, 192.168.0.0 to 192.168.255.255, & IPv6 equivalents):
// Ignore insecure documents with URLs that are local IP addresses.
// This is done because the vast majority of routers and other devices
// on the network do not use HTTPS, making this warning show up almost
// constantly on local connections, which annoys users and hurts our cause.
I think this should block the release of Fission to release users given that the above is still a common scenario.
|
|
||
Updated•5 years ago
|
|
|
||
Comment 3•5 years ago
|
||
(In reply to Matthew N. [:MattN] (PM me if request are blocking you) from comment #2)
I think this should block the release of Fission to release users given that the above is still a common scenario.
In that case, let's track this bug as a blocker for Fission riding the trains to Beta (Fission M7).
|
||
Comment 4•4 years ago
|
||
Sam, could you please find an assignee for this Fission M7 bug (target: Fx85-86)?
|
||
Comment 5•4 years ago
|
||
(In reply to Neha Kochar [:neha] from comment #4)
Sam, could you please find an assignee for this Fission M7 bug (target: Fx85-86)?
Ethan, this should be on your radar I guess.
|
||
Comment 6•4 years ago
|
||
(In reply to Sam Foster [:sfoster] (he/him) from comment #5)
(In reply to Neha Kochar [:neha] from comment #4)
Sam, could you please find an assignee for this Fission M7 bug (target: Fx85-86)?
Ethan, this should be on your radar I guess.
Thanks for the notice. I'll work with my team members to see if we could fix it in time.
Leave the needinfo open for my own reminder.
|
|
||
Comment 7•4 years ago
|
||
Dimi is taking over this bug. And we are targeting Firefox 86.
|
Assignee | |
Comment 8•4 years ago
|
||
When a user clicks a form, the password manager popups a warning when the
form is not in a secure context. However, there is an exception when
a form is in an iframe. When both the url of the iframe and the top-level
are both local ip addresses, we consider it is safe.
This patch adds isLocalIP to WindowContext and WindowGlobalActor.webidl
so password manager can identify whether the top-level url is a local ip
address under fission.
|
|
Assignee | |
Comment 9•4 years ago
|
||
Depends on D99041
|
|
Assignee | |
Comment 10•4 years ago
|
||
Depends on D99042
|
||
Comment 11•4 years ago
|
||
|
||
Comment 12•4 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/a16d69b927a9
https://hg.mozilla.org/mozilla-central/rev/2b4ad8ce76ba
https://hg.mozilla.org/mozilla-central/rev/9e3d68725565
Description
•