Here's an example: logging in to spreadfirefox. If you login using http://spreadfirefox.com and get password manager to remember it, it'll store fine. Yay. Now, if you try to login http://www.spreadfirefox.com, the password is not there: the password manager sees the www and assumes it's not the same site. I see why this is there: for subdomains and stuff. However, I believe the password manager should exclude www when looking for remembered passwords, so the saved password works on http://www.spreadfirefox.com and http://spreadfirefox.com
OS: Windows XP → All
Hardware: PC → All
Version: unspecified → Trunk
Changing to enhancement. -1 Vote from me.
Severity: major → enhancement
Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
Recommend invalid. CNAME entries do not imply same website, due to host headers.
90-99% of the time, this would probably work. However, there are instances where http://www.example.com/ and http://example.com/ are not the same site, and possibly even rare instances where this would present a security risk. I would think that this is why the behavior is as it is. This is probably a WONTFIX, but that's not my call - confirming so that a developer can make a decision on this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(In reply to comment #4) > and possibly even rare instances where this would present a security risk. I > would think that this is why the behavior is as it is. Current behavior is based on HTTP, DNS protocol, and the Mozilla Same Origin Rule. These are implemented by every web server and client, not "rare instances". This is not a valid bug.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.