Closed Bug 1631071 Opened 6 years ago Closed 6 years ago

401 password prompt spoofing thing

Categories

(Firefox for iOS :: General, defect)

Product:
Firefox for iOS
Component:
General
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED MOVED
Tracking Flags:
Tracking Status
fxios ? ---

People

(Reporter: dveditz, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: csectype-spoof, sec-low, sec-want)

This is the Firefox for iOS version of bug 791594 since it will certainly need its own fix

+++ This bug was initially created as a clone of Bug #791594 +++

Demo: http://lcamtuf.coredump.cx/authspoof/

You show a window-modal HTTP auth prompt visually tied to a particular tab before updating the address bar. This can have bad consequences when somebody navigates a trustworthy window to a malicious location. This seems rather undesirable.

Possible fix: update the address bar and hide the original document before showing the prompt?

Depends on: 1631072
Depends on: 1631073

The priority flag is not set for this bug.
:garvan, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(gkeeley)

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (non,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → --

Moved to github: https://github.com/mozilla-mobile/firefox-ios/issues/6602 where non-private issues are tracked.

Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(gkeeley)
Resolution: --- → MOVED
You need to log in before you can comment on or make changes to this bug.