HTTP authentication with tab-modal shows last page's window title
Categories
(Firefox :: Security, defect, P2)
Tracking
()
People
(Reporter: kuzimoto, Unassigned)
References
Details
Attachments
(2 files)
Nightly tab.png
Description
Since Nightly was changed to use a tab-modal instead of a window-modal, the title of the window does not update from the previous content of that tab.
To reproduce
- Navigate to a site - google.com
- Observe window title is "Google - Firefox Nightly"
- Navigate to a site that uses HTTP authentication - https://jigsaw.w3.org/HTTP/Basic/
- Observe that the window title is still "Google - Firefox Nightly"
Expected Behavior
- The window title to change to "Authentication Required - Firefox Nightly"
Explanation
Ideally the window title would maintain the same behavior as before. This becomes an issue when using password managers, because typically they rely on the window title to select the correct entry. To resolve this, all relevant entries would need to be changed to match on only "Firefox Nightly" which is a bit ambiguous, and those entries would now show up on every site in Firefox.
There is also a case to be made to change the window title to something else. I like Google's approach, of setting the title to the URL being accessed. While this would introduce some work to everyone using password managers in this way, it would make password entry much faster since now each site using HTTP authentication would have a unique title. I think this is a trade-off worth considering.
|
||
Comment 1•4 years ago
|
||
FYI,
Before landing Bug 1359352, Tab title is changed to "Connecting..." while the authentication dialog is showing.
After landing Bug 1359352, The tab title still keeps showing the previous one while the authentication dialog is showing. --- BUG!
|
||
Comment 2•4 years ago
|
||
Also in the same line of ideas, many extensions exist to add the URL in the tab title to help thus password manager. It would be great it those extensions could interact with the tab title even if the dialog is prompted. I'm sure there is a bunch of security issues to consider before it.
An alternative that could simplify both cases is to display the WWW-Authenticate realm if provided by the server in the tab title.
|
||
Comment 3•4 years ago
|
||
Paul, can you take a look at this whenever you have some time? Thanks!
|
||
Comment 4•4 years ago
|
||
Hello,
I’ve managed to reproduce the issue on the latest Nightly (83.0a1/20201014214248), Beta (82.0/20201012131351) and Release (81.0.2/20201012085804) under Windows 10 Pro 64-bit and Ubuntu 16.04 LTS.
After accessing a random site, say https://www.wikipedia.org/, the tab title will change to “Wikipedia”. Afterwards, navigating to https://jigsaw.w3.org/HTTP/Basic/ , the tab title will stay the same i.e “Wikipedia” while the authentication dialog is showing. For more details, see the attached screenshots.
|
|
||
Comment 5•4 years ago
|
||
|
|
||
Comment 6•4 years ago
|
||
|
||
Comment 7•4 years ago
|
||
I think we should update the title and url bar before showing the auth prompt. This will also help with spoofing issues, see Bug 791594.
|
||
Updated•4 years ago
|
|
|
||
Updated•4 years ago
|
Hi, I believe this has made to Firefox 83, and my first thought when I saw the new prompt was that I was being spoofed. Had to do some hg repo archaeology to confirm that it indeed was a legitimate change and find the corresponding bugzilla issue..
Perhaps worth including in the changelog, so people aren't thrown off by the change? Thanks!
|
||
Comment 10•4 years ago
|
||
(In reply to karlicoss from comment #9)
apologies, posted under wrong issue by accident, commented under https://bugzilla.mozilla.org/show_bug.cgi?id=613785 instead...
Description
•