401 password prompt spoofing thing
Categories
(Fenix :: General, defect, P3)
Tracking
(Not tracked)
People
(Reporter: dveditz, Unassigned)
References
Details
(Keywords: csectype-spoof, sec-low, sec-want)
This is the Fenix version of this bug. If the fix is in Gecko maybe Fenix will inherit it, but if it's a front-end fix Fenix will need it's own version.
+++ This bug was initially created as a clone of Bug #791594 +++
Demo: http://lcamtuf.coredump.cx/authspoof/
You show a window-modal HTTP auth prompt visually tied to a particular tab before updating the address bar. This can have bad consequences when somebody navigates a trustworthy window to a malicious location. This seems rather undesirable.
Possible fix: update the address bar and hide the original document before showing the prompt?
Comment 1•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is --
(non,) indicating it has has not been previously triaged, the bug's Severity is being updated to --
(default, untriaged.)
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Description
•