Closed Bug 236558 Opened 21 years ago Closed 21 years ago

Unnecessary Security Warning upon Form Submittal using HTTPS and Javascript

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 183329

People

(Reporter: chrissansone, Assigned: bugzilla)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6) Gecko/20040206 Firefox/0.8 Consider the following HTML: <html> <body> <form action="javascript:alert('hello')"> <input type="submit" name="Submit" value="Submit" /> </form> </body> </html> When using HTTP, everything works fine: clicking the Submit button will display the "hello" dialog box. But when this page is over HTTPS, a security warning is displayed upon clicking the Submit button, before the "hello" dialog box appears. The security warning reads: "Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?" Obviously, this warning is completely unnecessary, because no data is being transmitted at all. The warning occurs before the Javascript is executed, without first determining if the Javascript does indeed transmit any data. I have managed to avoid the warning by re-writing the HTML as follows: <html> <body> <form onsubmit="alert('hello'); return false"> <input type="submit" name="Submit" value="Submit" /> </form> </body> </html> It performs the Javascript before the actual submission, then prevents the submission by returning false. This was not an obvious solution to me. The form's "action" attribute does indeed execute Javascript, so it should be able to handle this situation Bottom line: submitting a form does not necessarily involve transmitting of data. I recommend the browser first checks the Javascript to determine if data will be transmitted, and if so, displays the warning before any of the Javascript is executed (easy for me to say!). FYI, Internet Explorer does not display this errant security warning. Thanks, Mozilla crew! The browser is fantastic -- keep up the excellent work! Reproducible: Always Steps to Reproduce: 1. Create a web page under HTTPS with the HTML in the Details section 2. Navigate to the page 3. Press the submit button Actual Results: A security warning unnecessarily appears (see Details for more info). Expected Results: Not displayed the security warning in this situation.
I'm seeing the same problem under Linux. Having "javascript:" behind the action keyword pops up a security warning that cannot be disabled. This bug also exists in Mozilla (at least up until 1.6) My Firefox version: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040612 Firefox/0.8
This bug is possibly related to, or may share a common cause with, Bug 183329.
This bug is clearly the same as Bug 183329. Basically, if you direct a form action to javascript, it's identified as an unencrypted link, regardless of what the javascript does. This wouldn't be a problem, except that directing a form action to javascript is the easiest way to do client side form validation. I can reproduce this behavior on Firefox 1.0 on FreeBSD and Windows XP.
*** This bug has been marked as a duplicate of 183329 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.