270776 - HTTPS Live bookmarks failed to load if the password of the private key is not cached

Status: RESOLVED INACTIVE

(Firefox :: Bookmarks & History, defect)

Description

[Romain Wartel]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

If a server publishes an HTTPS RSS feed, which also checks the clients'
certificate, Firefox will succesfully load the feed if the password of the
private key has already been typed.
If the password is not cached, it will fail to load the live bookmark.

Reproducible: Always
Steps to Reproduce:
1. Go to an HTTPS server that checks client certificates
2. Type the password of your private key
3. Subscribe to an RSS feed on the HTTPS server that checks client certificates.
4. Close Firefox
5. Restart Firefox and check your Live Bookmarks

Actual Results:  
The Live Bookmarks fails to load.
You need to go back to the HTTPS server that checks client certificates, type
your password, and refresh the Live Bookmark.

Expected Results:  
As soon as I am subscribed to an https RSS feed, which would check my client
certificate, I expect to be prompted for my password when Firefox is starting up.

Comment 1

[Andrew Johnson]

I am seeing the same problem with a normal HTTP page which is being
authenticated by a username / password.

There is a workaround where you can edit the bookmark link to be:
  http://username:password@site.com/RSSfeed.xml
         ^^^^^^^^^^^^^^^^^^
but the security implications of this will vary on a case-by-case basis.

As a fix, if the details can be pulled from the password manager automatically
that would be perfect, or the usual pop up box would be fine too.

Comment 2

[Pedro Morais]

Still present on Deer Park Beta 1.

Comment 3

[Bj0rN]

The workaround mentioned by Andrew Johnson doesn't work in FF 1.5 on a Mac (Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051111 Firefox/1.5)

I just tested it on a colleagues PC with FF1.5 and it doesn't work there either..

The workaround was:

  http://username:password@site.com/RSSfeed.xml
         ^^^^^^^^^^^^^^^^^^

Comment 4

[Alberto Brandolini]

Bugs are loadede after authentication, but Firefox is trying to access them in http, instead of https.

Comment 5

[Mike Connor [:mconnor]]

Personally, I have a live bookmark to a secure site, and the workaround mentioned has been working for the last eight months.  Prompting for http auth on startup wouldn't be useful for most cases, though it'd be worth exposing UI to authenticate.

Comment 6

[Mike Connor [:mconnor]]

sorry for bugspam, long-overdue mass reassign of ancient QA contact bugs, filter on "beltznerLovesGoats" to get rid of this mass change

Comment 7

[Steve England [:stevee]]

Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!

Comment 8

[Andrew Johnson]

I still see it.  I've switched to Linux but I get the same behaviour:
  Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.4) Gecko/20070208 Mandriva/2.0.0.4-1mdv2007.1 (2007.1) Firefox/2.0.0.4

The workaround still works.

The bug probably lies in how the live bookmark code handles an HTTP Error 401.  It seems to just treats is a failure rather than getting the client authentication.

Comment 9

[Shawn Wilsher :sdwilsh]

confirming per comment 8

Comment 10

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.