247872 - Add secure site notification to pages that post to secure address

Status: VERIFIED WONTFIX

(Core Graveyard :: Security: UI, enhancement)

Description

[Chris Cook]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9

This may be an unreasonable request but it would be desirable to have
notification if a form will be submitted to a secure URL even though the form is
not secure. It is often that a form like a login form is not secure but posts to
a secure URL and having notification of this would help to ease the users mind.

A possible pitfall with this feature is that when multiple forms are used on a
page, one could be secure (possibly a trojan form or perhaps just another form)
while others are not. A workaround could be to only display the notification if
_all_ forms on the page post to secure URLs, or perhaps if there is only a
single form on the page.

Reproducible: Always
Steps to Reproduce:

Comment 1

[Robert Accettura [:raccettura]]

Not sure if this is a dup or not.

What we should do is this:

A form on a secured page must submit to the same server as shown in the URL
bar.... or a very serious dialog appears.

This gets rid of frames as a workaround to mask who it really is your sending
data too.

Comment 2

[Peter van der Woude [:Peter6]]

leave this UNCO ?

Comment 3

[Gervase Markham [:gerv]]

This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Comment 4

[Peter van der Woude [:Peter6]]

isn't this a security bug ?
Jesse, you know a dupe of this ?

Comment 5

[Jesse Ruderman]

I don't know whether this is a dup of the top of my head.  I was about to
WONTFIX this for reasons given in
http://www.squarefree.com/2005/05/28/banks-and-https/, but Robert Accettura's
idea in comment 1 is interesting.

Comment 6

[Daniel Veditz [:dveditz]]

Robert's comment 1 seems almost the opposite of this bug. At least as I read it,
he's saying that on a secure page, the forms must submit back to the server in
the url bar (even, or especially, for child frames). Interesting idea, probably
breaks too much of the web-as-it-is, but in any case needs its own bug. Too big
a morph from this one.

Jesse's interpretation seems to be that on a NON SSL page, a form that submits
securely back to the visible host might be allowed without a warning. I dunno,
that only encourages them. And in lots of current cases that won't make the
warning go away because they use different hosts for logging in (e.g.
https://login.yahoo.com vs mail.yahoo.com and so on with the login form).

Maybe a separate bug from this one if you think it's worth persuing. This one
I'd like to go on record as WONTFIX as a popular but very bad idea.

Comment 7

[Jesse Ruderman]

Dan read my mind correctly :)