Closed Bug 24991 Opened 25 years ago Closed 6 years ago

mail with webpage from restricted site should ask for username/password

Categories

(MailNews Core :: Networking, defect)

Product:
MailNews Core
Component:
Networking
Platform:
x86
Windows 98
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: bugzilla, Unassigned)

References

(
URL
)

Details

(Whiteboard: [nsbeta2-]) 

Use the "send page" from a restricted site that you logged into, and send the 
page to a mozilla account.
Now read the mail with the attached html page. Mozilla will keeps asking for 
username/password.

Expected:
Same behavior as in Netscape 4.7 where netscape only asked for username/password 
once.
*** Bug 26521 has been marked as a duplicate of this bug. ***
QA Contact: lchiang → pmock
Mail review recommends nsbeta2.
Keywords: nsbeta2
Targetting our beta2 candidates to M17.
Target Milestone: --- → M17
Need a retest...does this happen on todays builds.
Whiteboard: [NEED INFO]
When I send a webpage from a restricted site to a Mozilla mail account, the page 
show gets shown. it no longer asks for any username/password.
So it seems fixed.
cool....
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Scott,

This bug does not appear to be fixed.  Seamonkey is not behaving like 
Communicator 4.x.  When I sent a restricted page, we should prompt the user for 
a username and password.  On today commercial seamonkey build, we do not prompt 
the user.  We just display the complete message without prompting.

Steps to reproduce problem:
0) From Communicator 4.72, send yourself a restrict web page that requires login 
and password.  In my test, I used the internal helpdesk web page.
    http://request.mcom.com/helpdesk/alliance_rout1.htm
1) Deleted my previous user profile before installing to todays build.
2) Install the 0524 build
3) Launch Messenger
4) Retrieve your mail message
   The mail message displays the message body without prompting for a login id 
or password.

Under 4.72, when you view a restricted page, it spawn a browser window then puts 
up a login dialog.  If the user cancels out the dialog then you receive an 
authorication error.

This problem occurs on today win32 2000-24-09 -m16 and macos 2000-2419-.1

Re-open bug.
URL: http://request.mcom.com/helpdesk/alli...
re-open bug - clearing resolution.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I can verify that Mozilla never shows the username/password dialog using build 
2000052420. Netscape 4.x did this.

If you send a webpage by mail, the entire webpage is there in the mail, even 
though it's from a restricted site. Perhaps Mozilla should check either the
"Content-Base" or "Content-Location" to see if we're talking about a webpage 
from a restricted site.
Putting on [nsbeta2+]
Whiteboard: [NEED INFO] → [nsbeta2+]
Another way to test this, is by subscribing to the:
"netscape.public.mozilla.crash-data" newsgroup.

The postings: "7:00am Crash Data Summary" has a
<base href="http://cyclone:8080/reports/"> when generates an alert saying:
"news.mozilla.org could not be found. Please check the name and try again."!

removing nsbeta2+ and asking for consideration to cut from beta2. mscott, does
this still sound ok to you?
Whiteboard: [nsbeta2+]
Putting on [nsbeta2-] radar. Not critical to beta2.
Whiteboard: [nsbeta2-]
Changed subject to the new state of this bug.
Summary: mail with webpage from restricted site keeps asking for username/password → mail with webpage from restricted site should ask for username/password
Target Milestone: M17 → ---
Is this bug about sending or receiving?
Product: MailNews → Core
Assignee: mscott → nobody
Status: REOPENED → NEW
QA Contact: pmock → mailnews.networking
Product: Core → MailNews Core
Priority: P3 → --
Tony, what do you think?
(In reply to Wayne Mery (:wsmwk) from comment #16)
> Tony, what do you think?

Well, what is the "expected" behaviour? If I send a page (as opposed to a link) by mail, I would expect a _copy_ of the page to be sent as attachment, and visible with no need to input any UN+PW, provided only that the _sender_ had the necessary permissions. But some of the posters above seem to expect that _both_ sender and receiver need appropriate credentials. Is there a relevant RFC or something?
(In reply to Tony Mechelynck [:tonymec] from comment #17)
> (In reply to Wayne Mery (:wsmwk) from comment #16)
> > Tony, what do you think?
> 
> Well, what is the "expected" behaviour? If I send a page (as opposed to a
> link) by mail, I would expect a _copy_ of the page to be sent as attachment,
> and visible with no need to input any UN+PW, provided only that the _sender_
> had the necessary permissions. But some of the posters above seem to expect
> that _both_ sender and receiver need appropriate credentials. Is there a
> relevant RFC or something?

dunno.
maybe someone else ...
It should be virtually impossible to send the full context with a message. Authentication may come in various forms, how would one know which variant to apply, and how to keep track of related cookies, etc.?

Current behavior is to send the page verbatim, i.e., any included images aren't resolved and attached but included as remote content (I'd suspect the same is happening with {i}frames, so this would be a suitable mechanism to enforce any authentication-related problems, but then you aren't sending that message at all just a reference to it). I'm not aware of any IETF regulations on that.

Given that you can just use View > Message Source to read an HTML attachment coming from a web page, enforcing any credentials at this time would be rather moot anyway. It's the responsibility of the sender whether or not the message is acceptable to send to anybody else (and everybody eavesdropping, for that matter).
wontfix, or invalid?
Flags: needinfo?(mkmelin+mozilla)
I think we can close this yes. I think the "send page" feature should be removed too - it's a really odd feature.
Status: NEW → RESOLVED
Closed: 24 years ago6 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.