Closed Bug 1732398 Opened 4 years ago Closed 4 years ago

Password auto-fill should not fill forms when site is downgraded to HTTP from HTTPS

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 92
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: chetw, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0

Steps to reproduce:

Login into website over https:// and allow password manager to store the password. Force a downgrade to a fake replica site running on http:// and password manager fills in the password.

Actual results:

It filled in the password to an imposter site

Expected results:

Password manager should not auto-fill a password stored for a secure site to an insecure one.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Accidentally filed against wrong browser, closing

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.