Open Bug 1715525 Opened 4 years ago Updated 2 years ago

Firefox no longer shows Apache 2.4 AuthName messages for password protected pages

Categories

(Toolkit :: Content Prompts, defect)

Product:
Toolkit
Component:
Content Prompts
Version:
Firefox 89
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: superian, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

Create a password-protected page on a Apache 2.4 server, following the documentation at https://httpd.apache.org/docs/2.4/howto/auth.html, with /home/user/.htpasswd contain the user name and hashed password for the user.

In the .htaccess file have:

<Files "protected-page.html">
AuthName "Some message for the visitor"
AuthType Basic
AuthUserFile /home/user/.htpasswd
require valid-user
</Files>

Visit the page with Firefox 89.

Actual results:

A pop-up asked for the user name and password.

On correctly giving those, it showed the protected page.

Expected results:

The pop-up should have contained "Some message for the visitor", but didn't.

Chromium-based browsers stopped showing AuthName messages about five years ago. Until very recently - this may be new with Firefox 89 - Firefox did show them:

'A username and password are being requested by https://example.com. The site says "Some message for the visitor"'

Now, it's just:

'This site is asking you to sign in".

If I search for that string it looks like the Firefox source code still had..

EnterLoginForRealm3=%2$S is requesting your username and password. The site says: “%1$S”

.. in April (https://hg.mozilla.org/releases/mozilla-release/rev/8bb3057a5996e04407204b45a68713577a59974a) and I can't find an obvious deletion of it, so I am not sure why it is no longer showing.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

This human wonders if Bugbug bot has seen 'password' and gone 'Ah ha, password manager' to itself when it should be somewhere else, but I do not know the source well enough to revert.

From a quick look, I guess this might be related to Bug 1694418 and Bug 1714349. Maybe Gijs can provide more context.

I'm going to move this to the Notifications & Alerts which is the component Bug 1694418 was under. :gijs is out for a bit, maybe :pbz or :micah can provide some input here?

Component: Password Manager → Notifications and Alerts
Flags: needinfo?(pbz)
Flags: needinfo?(mtigley)

(In reply to Ian from comment #0)

If I search for that string it looks like the Firefox source code still had..

EnterLoginForRealm3=%2$S is requesting your username and password. The site says: “%1$S”

.. in April (https://hg.mozilla.org/releases/mozilla-release/rev/8bb3057a5996e04407204b45a68713577a59974a) and I can't find an obvious deletion of it, so I am not sure why it is no longer showing.

The new HTTP auth prompt is now using a new window tab modal in Firefox 89 (bug 1694418), which displays the new message you're seeing. The call site for showing the old message is here: https://searchfox.org/mozilla-central/rev/bea2345ce636dc329ac7133fc0a13c9171777e40/toolkit/components/prompts/src/Prompter.jsm#877-879 .

Removing the old message keys should probably be done as part of proton-cleanups.

Flags: needinfo?(mtigley)
See Also: → 1716363

I would say that showing the message from the web server should be retained.

What are the perceived benefits of throwing away the message?

(In reply to Ian from comment #6)

I would say that showing the message from the web server should be retained.

What are the perceived benefits of throwing away the message?

See https://bugzilla.mozilla.org/show_bug.cgi?id=1694418#c22

Flags: needinfo?(pbz)

Hmm, my use case is password protecting login pages at the web server level - this stops virtually all of the endless stream of attack bots in their tracks - with a username / password that is displayed to humans.

It was incredibly low level in terms of the resources needed, you could still log the bot failures for fail2ban to ban them at the server level, and when Chromium-based browsers stopped showing the messages, an ideal way to say "use Firefox!"

.. so in this case, "This site is asking you to sign in" isn't really what's happening. It's asking for a username/password to just access that page.

You'll then be asked for the real username/password combination to log into the site.

I strongly disagree (to put it mildly) with Gijs' reasoning to mimic a bug(!) in Chrome and designate that as feature.

At work, we use basic HTTP Auth on the Apache level to "prefilter" access to certain directories before actual user management etc. needs to look at it. Hence, different directories have different users and passwords (you might get redirected somewhere along the line to a different directory!), and the HTTP Auth info is used to hint the user which of these credentials are expected here.

It's just plain text — you might as claim that showing URL paths in the URL bar is evil, because it's remote content in a chrome context …

Quite.

I also note that the mobile version of Firefox still shows this info.

Severity: -- → S3
Component: Notifications and Alerts → Content Prompts
You need to log in before you can comment on or make changes to this bug.