Closed Bug 26507 Opened 20 years ago Closed 20 years ago
URL bar should hide passwords
When the user enters passwords in the form of: ftp://user:firstname.lastname@example.org/ It would be nice if the URL bar hides the password. The heuristics for knowing if the user is entering a password while she's typing it may be a bit goofy (basically, look for a colon I guess), but at least once the URL is typed in, this can be determined easily. The browser should never show passwords in plain text if it can help it. (Note that currently, the URL's in FTP view are completely broken, so you can't see where you are at all. This would be for when they work again ;-)
I think Netscape 4.x did not have this, right? Leger - where would this go? Networking or Password Cache?
nope, old 4.x builds never hid the passwords. i think the old workaround is just use ftp://email@example.com and let the browser prompt you for your password. I think the key thing to check would be to make sure the password is not sent as part of the URL in the HTTP command. that would be bad because that info lands in everybody's HTTP logs.
On the previous note, the password shouldn't go into the browser's history file without at least prompting first, either. This is a real issue with lab settings etc. (But a different issue from this bug) Last time I checked, some other popular browsers forced people to enter their passwords fully on the URL line (no prompt option), and then happily saved them in public places.
Moving to networking component
Component: Browser-General → Networking
Reassign to component owner.
Assignee: leger → gagan
QA Contact: cbegle → tever
I don't quite agree that we should try and remove the password from the location bar. As cbegle pointed out there is a work around if you don't want your password to be displayed in the bar. However there is a second point raised by her for which I can assure from HTTP side that we don't send the password but for FTP I am cc'ing this bug to valeski (to verify we don't send passwords in URL with the proxied HTTP request...)
we do send them in FTP.
marking as invalid.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Marking Verified as Invalid.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.