warn about possible web spoofing: warn if form action domain is different from domain where form came from

NEW
Unassigned

Status

()

--
enhancement
15 years ago
9 years ago

People

(Reporter: hauser, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

35.50 KB, application/octet-stream
Details
(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4b) Gecko/20030519

Most users probably have a hard time understanding this subtlety and posting a
form to a different domain than where the html generating the form came from may
be perfectly legitimate.

However, it would be great to be able under preferences to configure being
warned about this.

See example discussed on security mailing lists attached.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
(Reporter)

Comment 1

15 years ago
Created attachment 125290 [details]
payPalSpoof.msg

sorry for attaching this in Outlook format (no clue what the best portable
message storage format would be...).

At least when I save the mail as .html and load it with Mozilla, I don't seem
to get an error for https either.

Comment 2

15 years ago
Confirming as a new RFE.
Also note bug 168274, about exposing the form action more visibly in all cases.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: form-submission → nobody
QA Contact: ashshbhatt → form-submission
You need to log in before you can comment on or make changes to this bug.