Closed Bug 26336 Opened 25 years ago Closed 25 years ago

A form submit where action='https://...' produces no user warning.

Categories

(Core :: Security, defect, P3)

Product:
Core
Component:
Security
Platform:
x86
Windows 95
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: 3jrgm, Assigned: jud)

References

(
URL
)

Details

(Whiteboard: [PDT-])

Attachments

(1 file)

https:// form with all <input> type hidden; avoids wallet code
1.45 KB, text/html
Details 
Overview Description: 
  Submitting a form where action='https://...' produces no user warning.

Steps to Reproduce: 
 1) Go to http://www.hotmail.com/
 2) Enter a username/password (foobar/bazbar) and click the sign-in
    button
 3) This may result in the wallet code asking if you want to save form
    fields.  Just say 'never' to the dialog.
 4) If the wallet code kicked in, click on sign-in again. This time
    wallet will not come up.
 5) Notice, though that in either case, no action is performed and no
    user warning is thrown.

Expected Results:
  If ssl/https is not a supported protocol, then submitting a form to a https 
  URL should throw an alert dialog up that informs the user of this situation. 
              

Actual Results:             
  No action is performed, and no alert dialog is thrown. (Bob the user just 
  figures it's broken -- and files a bug). 

Build Date & Platform Bug Found: 2000-02-01-08 & 2000-02-02-11 (win95)

Additional Builds and Platforms Tested On: none (sorry, no have).

Additional Information: 
  I'll make a test case that submits a form to an https url, with all
  the <inputs> type="hidden" -- this will, I think, stop the wallet
  code from getting in the way.
*** Bug 26156 has been marked as a duplicate of this bug. ***
The bug I've just marked a duplicate is actually a little more general than
this: all unsupported protocols should trigger a warning when referenced from
forms, and possibly one that is more informative than "Unregistered resource". 
The user doesn't know what the form does, and should get something lik "The form
you submitted relies on a protocol that is not supported in Mozilla" or
something of that sort....maybe.
Yes, as Sean Richardson <sidr@albedo.net> and zach <zach@math.berkeley.edu>
have noted, this bug is split off from bug #24901 for the specific case of
submitting a form with the action requires an unsupported protocol (e.g.
<form action='https://...'  method='post'>). Also, as zach points out, this
should apply to the general case of any unsupported protocol, including the
case of "dyslexic" HTML authors (e.g., 'action="htpt://...."').
*** Bug 25407 has been marked as a duplicate of this bug. ***
after rethinking this bug, I think it is jud's.  cc-ing for his insight.
Eric, how does a form submit load the data? Any different from a regular URL 
(ie. is it using the webshell?). The form load doesn't seem to be following the 
webshell load path. Does it use some sort of OnClick() handler?
Assigning to jud.  I think that he put in the protocol checks.
Assignee: dougt → valeski
Yes, it uses the link handler's OnLinkClick method.  The relevent code is in
nsFormFrame::OnSubmit (especially towards the end of that function.
*** Bug 27007 has been marked as a duplicate of this bug. ***
*** Bug 27007 has been marked as a duplicate of this bug. ***
Target Milestone: M15
*** Bug 27007 has been marked as a duplicate of this bug. ***
*** Bug 28549 has been marked as a duplicate of this bug. ***
*** Bug 28662 has been marked as a duplicate of this bug. ***
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
The very similar bug 17697 was marked a beta stopper.  May I humbly suggest that
this be fixed for beta as well? Otherwise we'll just get a deluge of bug reports
from people who can't log into their hotmail accounts.
Keywords: beta1
*** Bug 29364 has been marked as a duplicate of this bug. ***
*** Bug 29372 has been marked as a duplicate of this bug. ***
PDT- for beta1. The Netscape beta should ship with SSL supported... and hence it 
should be  possible to log into hotmail etc..  I think this bug is a mozilla 
bug, until we get PSM fully integrated.  If we're mistaken, please clear the 
PDT- and add a comment.
Whiteboard: [PDT-]
fix checked in
Status: NEW → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
*** Bug 27104 has been marked as a duplicate of this bug. ***
*** Bug 28304 has been marked as a duplicate of this bug. ***
Will this be in the M14 release? If not, should be on the most frequent bugs
list.
Verified on Linux build 2000.03.01.08.
Verified on WinNT.
Status: RESOLVED → VERIFIED
*** Bug 30397 has been marked as a duplicate of this bug. ***
*** Bug 31158 has been marked as a duplicate of this bug. ***
*** Bug 31400 has been marked as a duplicate of this bug. ***
*** Bug 31536 has been marked as a duplicate of this bug. ***
*** Bug 31760 has been marked as a duplicate of this bug. ***
*** Bug 31504 has been marked as a duplicate of this bug. ***
*** Bug 33143 has been marked as a duplicate of this bug. ***
*** Bug 34461 has been marked as a duplicate of this bug. ***
*** Bug 34462 has been marked as a duplicate of this bug. ***
*** Bug 34463 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: