Closed Bug 260988 Opened 20 years ago Closed 11 years ago

favicon still loaded after canceling site load due to userpass warning

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jmd, Unassigned)

Details

Firefox 0.10, filing under "Browser" based on bug 122445.

Attempt to load jmd@pobox.com as a URL. You will receive a warning that you are
about to load the site "pobox.com" as the user "jmd". Click No, that it's not
OK. pobox.com will not be loaded, however, the favicon will be downloaded and
set as the icon for the tab (though it doesn't seem to be set in the URL bar
itself.)
The defensive auth dialogs came from bug 232567, not bug 122445
Assignee: dveditz → darin
Component: Security: General → Networking: HTTP
There are are several favicon bugs like this one, and opinion is divided
(to say the least) on how this should be handled.

FWIW, the favicon set up seems to me to be fundamentally broken (it seems
to work at the server level, and as you say can slip past authorization),
so I don't really see how it can be completely fixed; and though I agree
with you that 'Cancel' should mean 'Cancel' and 'No' should mean 'No' I
don't really feel that there is a real complaint if the browser displays
the bits if it has been able to acquire them.
> I don't really feel that there is a real complaint if the browser displays
> the bits if it has been able to acquire them.

I think even that qualifies as a bug, though admittedly minor, assuming there
are no security concerns (though you might make a case for privacy
concerns--clicking "No" still causes traffic to hit the potential phishing site,
revealing time/ip/os/browser to the attackers).

After clicking "No", you will have the previous page displayed in the browser
(say, this bugzilla page, but with the icon of the site you canceled the load of
(say, the bizarre heart logo of pobox.com) next to its tab. It's the mismatch
that's the issue. Again, a minor one, assuming the security and privacy
implications are judged to be not a concern.
I wholeheartedly agree with comment 3 - I am just doubtful of my
ability to convince anyone else of this.

There are roughly 94 favicon bugs in total, 
and most of these ones have something
in common with this bug:
109959 110421 113430 116801 118448 
120304 121518 133755 162893 163109 
186532 238348 240795 242512 250458 
252540 253045 255085 255188 258461 
Favicons are downloaded and set completely in the front end code; HTTP has
nothing to do with it.
Assignee: darin → firefox
Component: Networking: HTTP → General
Product: Browser → Firefox
QA Contact: firefox.general
This looks to me like its a dupe of bug 258461.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20060509 Minefield/3.0a1

This bug is well over a year old. It looks like a special case of  Bug 258461 
"Canceling page load results in incorrect favicon displaying on the tab bar", 
but I suspect that the reporter wanted a fix specifically for the phishing 
implications of this one, even if the wider work for that bug took longer.
I suspect that a fix for that bug would close this one, but that bug also 
looks inactive.

If it is really intended to leave these bugs unfixed, then you might want to state why and mark as WONTFIX or FUTURE.
Assignee: bross2 → nobody
I am unable to reproduce this bug, testing jared@msu.edu on a new tab in Firefox Nightly 21.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.