Closed Bug 264486 Opened 20 years ago Closed 19 years ago

Dialog box asks if I meant to load some https site with login[:password] given in URL. If I answer No the page content does not load, but the site's certificate does.

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
Other
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: Andrei.Segal, Assigned: KaiE)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (X11; U; Linux alpha; en-US; rv:1.8a5) Gecko/20041014

If I type in the address bar something like
https://login[:pass]@foo.bar.com
where foo.bar.com is some https site that does not use basic auth, a dialog pops
up with this text: "You are about to log into the site "<foo.bar.com>" with the
username <login>, but the site does not require authentication. This may be an
attempt to trick you. Is "<foo.bar.com>" the site you want to visit?".
Buttons: "Yes", "No", "X"(Close Dialog).
As expected, clicking on either "No", "X" or pressing Esc will abort loading the
page at foo.bar.com, but (1) the address bar still shows the foo.bar.com URL,
(2) if enabled, the warning for entering an encrypted page is displayed, (3) the
 "security information" icon signals a secure connection and (4) the certificate
of foo.bar.com can be examined from the "security information" icon, or from the
page properties. Additionally, upon navigating to some other place, (5) the
warning for leaving an encrypted page is displayed - if enabled.

Reproducible: Always
Steps to Reproduce:
1. Go to sluggy.com
2. Type in address bar: https://minime@bugzilla.mozilla.org
3. Click "No" or <Close> on the dialog that pops up

Actual Results:  
1. The address bar does not revert to http: //sluggy.com
2. The security icon indicates that the page you see (sluggy) is signed by
Thawte Consulting cc.
3. The <Security> tab in <Page Info> will inform that "The web site sluggy.com
supports authentication for the page you are viewing. The identity of this site
has been verified by etc." You can examine the certificate.

Expected Results:  
1. The URL in the address bar should match the content displayed.
2. No authentication info from mozilla.org should appear in content from sluggy.com

Built for target alphaev56-unknown-linux-gnu with gcc 3.0.3
Configure args.:  --disable-freetype2 --enable-crypto

Bug also present on this build/OS combo:
Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10.1

See also bugs 232567, 263263

*** This bug has been marked as a duplicate of 263263 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Um, I'm not sure it's a duplicate and it's certainly not resolved. My build
includes the patches issued for bug 263263. Please also check the latest
comments for 263263.
reopening.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
stephend, you dupped this to a bug that was clearly referenced in comment 0...
better to read the referenced bugs first.
I got the same situation with 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a5) Gecko/20041031

I think that this should be given a security classification because though you
are warned clicking no does not prevent the spoof.

you have my vote
Product: Browser → Seamonkey
*** This bug has been confirmed by popular vote. ***
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee: general → kaie
Component: Browser-General → Client Library
Product: Seamonkey → PSM
QA Contact: general
Version: Trunk → unspecified
This problem is likely caused by the fact that pressing "No" on that dialog is
similar to pressing the STOP button.  However, the lock icon should only change
when we think that we've transfered some data into the browser window.  In this
case, that should not have happened.

Something is probably causing an nsIProgressEventSink::OnProgress event to fire
when it shouldn't.
Severity: normal → major
Product: PSM → Core
I can not reproduce on Linux with Mozila 1.7.7.
Responding to the points in the original description:

(1) I think it's ok that the URL bar still shows what the user has entered.

(2) I do not get security warnings, although I have them enabled all.

(3) I see the open, insecure lock

(4) I do not get the security certificate in page/security information. I still
see information for the previous, insecure page shown.

(5) The browser state seems to be fine, because when clicking an insecure link,
I do not get any warning.

I'd say WORKSFORME.
Did somebody fix the progress events?

WORKSFORME on rv: 1.7.8 as well, but it did occur with some earlier versions;
seems to have been fixed.
WFM
Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Fixed?
Resolving as WORKSFORME
Status: NEW → RESOLVED
Closed: 20 years ago19 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.