User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519 Most users probably have a hard time understanding this subtlety and posting a form to a different domain than where the html generating the form came from may be perfectly legitimate. However, it would be great to be able under preferences to configure being warned about this. See example discussed on security mailing lists attached. Reproducible: Always Steps to Reproduce: 1. 2. 3.
Created attachment 125290 [details] payPalSpoof.msg sorry for attaching this in Outlook format (no clue what the best portable message storage format would be...). At least when I save the mail as .html and load it with Mozilla, I don't seem to get an error for https either.
Confirming as a new RFE. Also note bug 168274, about exposing the form action more visibly in all cases.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: form-submission → nobody
QA Contact: ashshbhatt → form-submission
You need to log in before you can comment on or make changes to this bug.