Open Bug 1800061 Opened 3 years ago Updated 3 months ago

Return back `security.insecure_field_warning.contextual.enabled` pref

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 104
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: hatifnatt, Unassigned)

References

Details

Attachments

(1 file)

Nag screen block password selection from KeePassXC addon
130.68 KB, image/png
Details

That is very inconvenient that It is impossible to stop the appearance of this pesky warning.
A lot of developers and system administrator still need to use HTTP during testing, on local machines, in private networks etc. And all of them now see this absolutely useless (in cases described above) warning many times in a day. Also this warning usually block access to UI elements near filed where it appears.

Also it almost completely breaks external password manager extensions like KeePassXC Firefox addon. See screenshot for details. Passwords with short description completely invisible behind warning popup. Passwords with long description is somehow possible to select. And last part - how it is supposed to be.

Due fact I can't comment on original issues
https://bugzilla.mozilla.org/show_bug.cgi?id=1773047
https://bugzilla.mozilla.org/show_bug.cgi?id=1787423
and both of them closed I expect this issue won't be addressed, so a filled new one.

I was forced to downgrade to Firefox 103 due this, and I will probably will stick forever with it until this issue will be addressed somehow. And I assume many other users will be forced to do the same. It's definitely not a security improvement for those users.
Also I need to mention that there is no such popup warning in Chromium / Chrome and it's users live happily without it.

Severity: -- → S3
Priority: -- → P3
Duplicate of this bug: 1809384

One compromise for this is to at the very least make it so user can add a list of hostnames and IP to a list so it does not show up. Please consider scenarios where developers may have one or more dev servers with many sub domains so it should be possible to make an exception for say, *.devserver.local or similar. Same with IP, should be able to just make an exception for 10.x.x.x/8 and so on.

My 2 cents:
The warning is pretty pointless for devices on a LAN, connected via USB or in a local container.

Basically any rfc1918 IP address should have a way for the warning to be disabled. Whether by default or user choice I dare not suggest.

I use a password manager (1password in particular) and logging in to my local router is a nightmare.
It is possible but only by following the correct sequences of key presses and clicks...

This trend to "safeguard" users from everything without the ability for users to disable the safeguarding is way to dominant these days.
I have quit my YouTube Music subscription because they show warnings before specific songs which you have to click away first in order to listen to the song. Of course you cannot disable that in the settings. These trends are getting ridiculous and most importantly this has nothing to do with "users first". It has nothing to do with "user freedom" or "user choice".

I am all for sane defaults but they have to be adjustable.

I remember that you also took away the ability to block images on certain websites.
All these small reasons add up to users preferring something like Chrome instead.

Especially these days where the Chrome devs rollout origin trials for features like the Web Environment Integrity API, you people (you the Firefox devs) have to realize that you are the free alternative. The ones that are not pressing their corporate bs onto people and that actually (should) stand for user freedom.

I appreciate everyone who works on Firefox a lot, it's great that people work on this and keep it up-to-date, thank you honestly for that.

Please always keep in mind, the browser (like all the machines and software and stuff we have) should be a tool to improve something in our lives. And with changes like a "box overlaying possibly important parts of a website without the ability to disable that box" you really have to ask yourselves first: "Is this improving lives or actually getting in the way?"

I could open an even bigger bottle, like we're talking about minorities all day long and how important it is to have their views heard and to make it possible for them to have acceptance and a place in society. At the same time these design decisions in software almost always go more like "It benefits the average person because it safeguards them and they don't have the technical knowledge so it's better to safeguard them." But then it ignores completely that there are minorities, like technical advanced users, IT professionals, administrators and so on, and for these people a "feature" like this is just a huge blocker for them.

So please really think about the minorities when making design decisions.

Hi, as one of the mentioned minorities, we the system administrators decide which browser we deploy and thousands of clients are going to use. Our choice is strongly influenced by the factor how easy a browser is configurable and deployable. The removal of the option to disable this warning leaves us once again in a situation where, due to security fixes, we are forced to update the browser, but prevent users to use saved credentials for older systems that don't use https (but secured with other technologies and thus not easily switchable to https).
We now have the options:
to misplease our customers with the warning and loss of usability as they need to retype their credentials every time
to not update the browser anymore -> big nope
or to move to another browser as I don't want to maintain different browsers for different use-cases

please bring back the option. A user having disabled the warning is supposed to know what he is doing

Just to chime in. We really need this feature back (or a whitelist). We work in website development and run into the mentioned warning wall of text dozens of times during the day. I understand that there might be something we don't know. Like, if there was a case when someone with this setting 'enabled' had his credentials stolen and lost megatrillions of dollars to a 'hacker'. But there is no liability to Mozilla if this setting existed and was applicable. Security always has to be compromised a little for the sake of usability. And IMO this warning message annoys a part of dedicated albeit small part of user-base. There are a lot of various forum posts asking on how to disable this insecure connection warning message. Somehow many of them have cagey responses that suggest to enable https but deliberately do not provide an answer that it is impossible to disable this message.

Two years and still nothing? Why they disabled it to begin with? I don't care if an option inside 'about:config' would turn my browser upside down and inside out, that's why the SECURITY WARNING is there, for god's sake!

+1 to this. I was pulling my hair out trying to figure out why an internal form wasn't working, turns out the "not https therefore insecure, panic!" warning was precluding an actual error message.

it looks like the work was done to remove the feature for everyone because one guy randomly got the idea that there wasn't a use case for it? https://bugzilla.mozilla.org/show_bug.cgi?id=1773047 (i'm trying to be charitable, i don't understand the logic)

This is wildly annoying and disturbs my workflow. Please allow me to disable this unwanted feature in about:config.
I use the Firefox Developer Edition for development and the normal Firefox for browsing. I have no need to have this enabled in Firefox Developer Edition.

Thank you!

Agree with previous comments, please allow disabling or whitelisting. The box covers 1password prompts and is useless on internal or developer systems.

The whitelisting is very important during automated tests...

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: