Closed Bug 1671011 Opened 5 years ago Closed 1 year ago

HTTP authentication with tab-modal shows last page's window title

Categories

(Firefox :: Security, defect, P3)

Product:
Firefox
Component:
Security
Version:
Firefox 83
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 791594
Tracking Flags:
Tracking Status
firefox82 --- disabled
firefox83 --- affected

People

(Reporter: kuzimoto, Unassigned)

References

Details

Attachments

(2 files)

Nightly tab.png
13.56 KB, image/png
Details
Beta and Release tab.png
63.60 KB, image/png
Details

Description

Since Nightly was changed to use a tab-modal instead of a window-modal, the title of the window does not update from the previous content of that tab.

To reproduce

  1. Navigate to a site - google.com
  2. Observe window title is "Google - Firefox Nightly"
  3. Navigate to a site that uses HTTP authentication - https://jigsaw.w3.org/HTTP/Basic/
  4. Observe that the window title is still "Google - Firefox Nightly"

Expected Behavior

  1. The window title to change to "Authentication Required - Firefox Nightly"

Explanation

Ideally the window title would maintain the same behavior as before. This becomes an issue when using password managers, because typically they rely on the window title to select the correct entry. To resolve this, all relevant entries would need to be changed to match on only "Firefox Nightly" which is a bit ambiguous, and those entries would now show up on every site in Firefox.

There is also a case to be made to change the window title to something else. I like Google's approach, of setting the title to the URL being accessed. While this would introduce some work to everyone using password managers in this way, it would make password entry much faster since now each site using HTTP authentication would have a unique title. I think this is a trade-off worth considering.

FYI,
Before landing Bug 1359352, Tab title is changed to "Connecting..." while the authentication dialog is showing.
After landing Bug 1359352, The tab title still keeps showing the previous one while the authentication dialog is showing. --- BUG!

Blocks: 613785

Also in the same line of ideas, many extensions exist to add the URL in the tab title to help thus password manager. It would be great it those extensions could interact with the tab title even if the dialog is prompted. I'm sure there is a bunch of security issues to consider before it.

An alternative that could simplify both cases is to display the WWW-Authenticate realm if provided by the server in the tab title.

Paul, can you take a look at this whenever you have some time? Thanks!

Flags: needinfo?(pbz)

Hello,

I’ve managed to reproduce the issue on the latest Nightly (83.0a1/20201014214248), Beta (82.0/20201012131351) and Release (81.0.2/20201012085804) under Windows 10 Pro 64-bit and Ubuntu 16.04 LTS.

After accessing a random site, say https://www.wikipedia.org/, the tab title will change to “Wikipedia”. Afterwards, navigating to https://jigsaw.w3.org/HTTP/Basic/ , the tab title will stay the same i.e “Wikipedia” while the authentication dialog is showing. For more details, see the attached screenshots.

Status: UNCONFIRMED → NEW
status-firefox81: --- → affected
status-firefox82: --- → affected
Ever confirmed: true
Attached image Nightly tab.png

I think we should update the title and url bar before showing the auth prompt. This will also help with spoofing issues, see Bug 791594.

status-firefox81: affected → ---
status-firefox82: affecteddisabled
Flags: needinfo?(pbz)
Component: General → Security
Product: Toolkit → Firefox
Severity: -- → S3
Priority: -- → P2

Hi, I believe this has made to Firefox 83, and my first thought when I saw the new prompt was that I was being spoofed. Had to do some hg repo archaeology to confirm that it indeed was a legitimate change and find the corresponding bugzilla issue..
Perhaps worth including in the changelog, so people aren't thrown off by the change? Thanks!

(In reply to karlicoss from comment #9)
apologies, posted under wrong issue by accident, commented under https://bugzilla.mozilla.org/show_bug.cgi?id=613785 instead...

I'm unable to repro the original issue with the steps in description. Paul, can you confirm if this is no longer an issue since bug 791594 got fixed?

Flags: needinfo?(pbz)

You can reproduce with this test page: https://eviltrap.site/trap/http-auth-prompt-spoof/
Bug 791594 fixed the most problematic part, the urlbar, but did not address tab title or other parts of the identity section (lock and shield panel).

This bug seems worth addressing but I don't think we can prioritize it right now.

Flags: needinfo?(pbz)
Priority: P2 → P3

Correction: Bug 791594 actually addressed this. When testing I just didn't see it because I use an extension for vertical tabs which tab title does not get updated. I'll file a separate bug for that.

Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 791594
Resolution: --- → DUPLICATE
See Also: → 1899257
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: