1654046 - Replace modal block when secure page submits insecurely with a warning instead.

Status: NEW

(Firefox :: Security, enhancement)

Description

[Daniel Veditz [:dveditz]]

Since Netscape in the 90s we've had a modal block that prevents a secure page from submitting insecurely. We had similar warnings in other situations that people could suppress with a checkbox ("after they were educated") that we eventually removed entirely. Because early on only "important" sites like banks used HTTPS we never made this dialog suppressable, or dismissable.

Most of the web is secure now, and sites stick out and are shamed when they do things insecurely. We could get away with a less draconian warning. Maybe something styled like the "password on an insecure page" warning on the form. A pref is being added to suppress the modal dialog for enterprises in bug 436200 (who can't or won't always get certs for internal sites -- either lazy or sometimes worrying Certificate Transparency logs give away internal secrets). If that catches on then changing to a non-blocking warning would be more important.

As a bonus this would eliminate another modal dialog that sites can use to hang up a page as an "eviltrap".

[minor drawback to the "like password warning" approach: a sneaky site might change the action from secure to insecure on submit to avoid the warning. We should at least scream on the console in that case and hope they get caught and shamed.]