259120 - default option should be "no, dont visit" on username/PW URLs

Status: RESOLVED FIXED

(Core :: Networking: HTTP, defect)

Description

[u49640]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040911 Firefox/0.10
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040911 Firefox/0.10

when i visit a url with Username and pw like http://test:pass@example.com
firefox prompts if i want to visit "example.com" and warns me that it may be a
trick.

the default option on this Messagebox is set to "yes", but since most people
just dont read dialog boxes and just hit enter* office the default option should
be "no" or the warnig should be larger and in a different color (red, bold, font
size 16).

And: dont follow the Bad example of windows and ask OK/Cancel. name the options
"Visit the page" and "cancel" or something more helpfull to those who wont read
the text above

* Ive seen it several Times at work. if a dialog Box comes user just hit enter
without even reading it. only if it doesnt work the try again and read what they do.

Reproducible: Always
Steps to Reproduce:
goto http://test:pass@example.com

Comment 1

[Peter van der Woude [:Peter6]]

Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20041009
Firefox/0.10

confirming

seems reasonable/logical to focus on NO by default

?1.0

Comment 2

[chris hofmann]

darin is a better owner for this.  not sure we need this at this point since we
are taking the first experimental step to helping users to recognize spoofing
and phishing attacks, but it might be a good suggestion for a future release

Comment 3

[Daniel Veditz [:dveditz]]

There are two different dialogs, the "phishy" one you describe could easily be
changed to the other default since it's already a suspicious action. But a
spoofer could easily change their site to ask for authentication in which case
you'd get the other road-block dialog. That one probably needs to stay with a
positive default.

Comment 4

[Daniel Veditz [:dveditz]]

Attachment: Change button default

Simple patch if we want to do this...

Comment 5

[Daniel Veditz [:dveditz]]

Comment on attachment 161800 [details] [diff] [review]
Change button default

Darin, please r= or WONTFIX the bug.

Comment 6

[Darin Fisher]

Comment on attachment 161800 [details] [diff] [review]
Change button default

This seems reasonable to me since it will only affect sites that do not in fact
use http auth.

r=darin

Comment 7

[Johnny Stenback (:jst)]

Comment on attachment 161800 [details] [diff] [review]
Change button default

sr=jst

Comment 8

[Mike Kaply [:mkaply]]

Comment on attachment 161800 [details] [diff] [review]
Change button default

a=mkaply for the branches

Comment 9

[u49640]

(In reply to comment #6)
> This seems reasonable to me since it will only affect sites that do not in fact
> use http auth.

wouldnt it be a good idea to set the option to "sont visit" on sites that use
http auth?

Comment 10

[Darin Fisher]

> wouldnt it be a good idea to set the option to "sont visit" on sites that use
> http auth?

if a site is using HTTP auth, then we show a less 'scary' message to the user
because more than not it will be for legitmate purposes.  i'm ok keeping the
default for that case as 'ok'.

Comment 11

[Daniel Veditz [:dveditz]]

Fixed trunk, 1.7, aviary

/cvsroot/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,v
new revision: 1.224; previous revision: 1.223

/cvsroot/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,v
new revision: 1.197.2.7; previous revision: 1.197.2.6

/cvsroot/mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp,v
new revision: 1.197.2.1.2.7; previous revision: 1.197.2.1.2.6