Closed Bug 247872 Opened 21 years ago Closed 20 years ago

Add secure site notification to pages that post to secure address

Categories

(Core Graveyard :: Security: UI, enhancement)

enhancement
Not set
normal

Tracking

(Not tracked)

VERIFIED WONTFIX

People

(Reporter: beerfan, Assigned: KaiE)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040614 Firefox/0.9 This may be an unreasonable request but it would be desirable to have notification if a form will be submitted to a secure URL even though the form is not secure. It is often that a form like a login form is not secure but posts to a secure URL and having notification of this would help to ease the users mind. A possible pitfall with this feature is that when multiple forms are used on a page, one could be secure (possibly a trojan form or perhaps just another form) while others are not. A workaround could be to only display the notification if _all_ forms on the page post to secure URLs, or perhaps if there is only a single form on the page. Reproducible: Always Steps to Reproduce:
Not sure if this is a dup or not. What we should do is this: A form on a secured page must submit to the same server as shown in the URL bar.... or a very serious dialog appears. This gets rid of frames as a workaround to mask who it really is your sending data too.
leave this UNCO ?
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
isn't this a security bug ? Jesse, you know a dupe of this ?
I don't know whether this is a dup of the top of my head. I was about to WONTFIX this for reasons given in http://www.squarefree.com/2005/05/28/banks-and-https/, but Robert Accettura's idea in comment 1 is interesting.
Assignee: firefox → kaie.bugs
Component: General → Security: UI
Product: Firefox → Core
QA Contact: general
Version: unspecified → Trunk
Robert's comment 1 seems almost the opposite of this bug. At least as I read it, he's saying that on a secure page, the forms must submit back to the server in the url bar (even, or especially, for child frames). Interesting idea, probably breaks too much of the web-as-it-is, but in any case needs its own bug. Too big a morph from this one. Jesse's interpretation seems to be that on a NON SSL page, a form that submits securely back to the visible host might be allowed without a warning. I dunno, that only encourages them. And in lots of current cases that won't make the warning go away because they use different hosts for logging in (e.g. https://login.yahoo.com vs mail.yahoo.com and so on with the login form). Maybe a separate bug from this one if you think it's worth persuing. This one I'd like to go on record as WONTFIX as a popular but very bad idea.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Dan read my mind correctly :)
Status: RESOLVED → VERIFIED
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.