Closed Bug 292713 Opened 19 years ago Closed 19 years ago

Form passwords should be remembered by the "action" URL instead of the page's.

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: kazssym, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7.6) Gecko/20050318 Firefox/1.0.2

If there are two login forms for the same site in http and https, the password
for one is not used for the other even if the two form's actions are refering
the same site.  This is annoying and can be resolved by using the form's action
URL for storing passwords.

Reproducible: Always

Steps to Reproduce:

*** This bug has been marked as a duplicate of 222653 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
(In reply to comment #1)
> 
> *** This bug has been marked as a duplicate of 222653 ***

I cannot understand why this is a duplicate.  Can you describe?
For example, a page at http://www1.example.com/foo contains these markups:

<form action="https://www2.example.com/bar">
...<input type="password" name="...">...</form>

the password should be remembered for https://www2.example.com instead of
http://www1.example.com as the current Firefox does.
(In reply to comment #2)
Becasue your suggestion is vulnerable.
According to your example #3, 
malicious.example.com can steal www1.example.com's
password, when it has a form its target url is www2.example.com ...?
(In reply to comment #4)
> (In reply to comment #2)
> Becasue your suggestion is vulnerable.
> According to your example #3, 
> malicious.example.com can steal www1.example.com's
> password, when it has a form its target url is www2.example.com ...?

It is by scripting, isn't it?  I see the point.
But the password is still not for www1.example.com but for www2.example.com.  I
hope there is a solution for it somewhere.

How about preventing foreign (not from www2.example.com in the above example)
scripts from getting values from the form?  Or letting the user make decisions
which site can be filled with the password for the target site?  Is there any
better idea?
I would have marked this bug as wontfix rather than duplicate of bug 222653, which  is false.
Agreed, this was not a duplicate.
Resolution: DUPLICATE → WONTFIX
Firefox now uses the page hostname *and* the action hostname (see bug 360493).  Using just the action hostname would make it trivial for a malicious site to steal your passwords for other sites.
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.