Basic auth username:password are exposed in page header when printed
Categories
(Toolkit :: Printing, defect)
Tracking
()
People
(Reporter: josh, Unassigned)
Details
Attachments
(1 file)
|
46.70 KB,
image/png
|
Details |
Screenshot showing URL in print preview
I've bookmarked a site that uses HTTP basic auth, and I've included the username:password in the URL, so that I'm logged in straight away, eg:
https://username:password@example.com/
Once the page loads, Firefox doesn't show the username:password in the address bar and (since bug 353933) doesn't show the username:password in the status bar (eg when following links).
So I can load the site and click around the site quite happily, forgetting that in the background my credentials are included in the URL.
But if I print a page from the site, the username:password are included in the URL in the page header. I could print a page from the site, share it with somebody, and inadvertently disclose my username and password to the entire site in the process.
In bug 353933, the status bar was changed to use an Exposable URI - maybe it would be a good to do this for the URL in the page header too.
Thanks.
A useful page for demonstrating this problem is:
https://user:pass@httpbin.org/basic-auth/user/pass
|
||
Updated•6 months ago
|
|
||
Comment 2•6 months ago
|
||
https://searchfox.org/mozilla-central/rev/c8a02e44e7e1ad8d431f8b92e834ed195bdcc94b/layout/printing/nsPrintJob.cpp#544-564 is already using the exposable uri stuff, but it seems this can be overridden by settings, and in this case this is doing it.
|
||
Updated•6 months ago
|
Description
•