Open Bug 1631073 Opened 4 years ago Updated 9 months ago

401 password prompt spoofing thing

Categories

(Fenix :: General, defect, P3)

Product:
Fenix
Component:
General
Platform:
x86_64
Android
Type:
defect

Tracking

(Not tracked)

People

(Reporter: dveditz, Unassigned)

References

Details

(Keywords: csectype-spoof, sec-low, sec-want)

This is the Fenix version of this bug. If the fix is in Gecko maybe Fenix will inherit it, but if it's a front-end fix Fenix will need it's own version.

+++ This bug was initially created as a clone of Bug #791594 +++

Demo: http://lcamtuf.coredump.cx/authspoof/

You show a window-modal HTTP auth prompt visually tied to a particular tab before updating the address bar. This can have bad consequences when somebody navigates a trustworthy window to a malicious location. This seems rather undesirable.

Possible fix: update the address bar and hide the original document before showing the prompt?

No longer depends on: 791594
Depends on: 791594

Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is -- (non,) indicating it has has not been previously triaged, the bug's Severity is being updated to -- (default, untriaged.)

Severity: normal → --
OS: Windows 7 → Android
Component: Security: Android → General
Severity: -- → S3
Priority: -- → P3
Duplicate of this bug: 1844989
You need to log in before you can comment on or make changes to this bug.