Closed
Bug 292713
Opened 20 years ago
Closed 20 years ago
Form passwords should be remembered by the "action" URL instead of the page's.
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: kazssym, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP; rv:1.7.6) Gecko/20050318 Firefox/1.0.2
If there are two login forms for the same site in http and https, the password
for one is not used for the other even if the two form's actions are refering
the same site. This is annoying and can be resolved by using the form's action
URL for storing passwords.
Reproducible: Always
Steps to Reproduce:
|
||
Comment 1•20 years ago
|
||
*** This bug has been marked as a duplicate of 222653 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
|
Reporter | |
Comment 2•20 years ago
|
||
(In reply to comment #1)
>
> *** This bug has been marked as a duplicate of 222653 ***
I cannot understand why this is a duplicate. Can you describe?
|
|
Reporter | |
Comment 3•20 years ago
|
||
For example, a page at http://www1.example.com/foo contains these markups:
<form action="https://www2.example.com/bar">
...<input type="password" name="...">...</form>
the password should be remembered for https://www2.example.com instead of
http://www1.example.com as the current Firefox does.
|
|
||
Comment 4•20 years ago
|
||
(In reply to comment #2)
Becasue your suggestion is vulnerable.
According to your example #3,
malicious.example.com can steal www1.example.com's
password, when it has a form its target url is www2.example.com ...?
|
|
Reporter | |
Comment 5•20 years ago
|
||
(In reply to comment #4)
> (In reply to comment #2)
> Becasue your suggestion is vulnerable.
> According to your example #3,
> malicious.example.com can steal www1.example.com's
> password, when it has a form its target url is www2.example.com ...?
It is by scripting, isn't it? I see the point.
But the password is still not for www1.example.com but for www2.example.com. I
hope there is a solution for it somewhere.
How about preventing foreign (not from www2.example.com in the above example)
scripts from getting values from the form? Or letting the user make decisions
which site can be filled with the password for the target site? Is there any
better idea?
|
||
Comment 6•19 years ago
|
||
I would have marked this bug as wontfix rather than duplicate of bug 222653, which is false.
|
||
Comment 7•18 years ago
|
||
Agreed, this was not a duplicate.
|
||
Updated•18 years ago
|
Resolution: DUPLICATE → WONTFIX
|
|
||
Comment 8•18 years ago
|
||
Firefox now uses the page hostname *and* the action hostname (see bug 360493). Using just the action hostname would make it trivial for a malicious site to steal your passwords for other sites.
|
Assignee | |
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•