293634 - mybank.icbc.com.cn - form input password activeX plug-in required

Status: RESOLVED WONTFIX

(Web Compatibility :: Site Reports, defect, P3)

Description

[maxiaobo]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Maxthon; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0

There is a form in this page,which have a line to input password. There is no 
problem if you use IE. But if use firefox ,this input field disappeared . I 
think it is not downloading plus-in of this page when enter password. 

Reproducible: Always

Steps to Reproduce:
1.open firefox 
2.enter https://mybank.icbc.com.cn/icbc/perbank/index.jsp 
3.

Actual Results:  
I could not enter password after  enter username,because the input field  of 
password do not display.

Expected Results:  
I can enter password and visit that website.

Comment 1

[Daniel Veditz [:dveditz]]

Firefox doesn't support ActiveX, required by this page. Not a security problem
(in fact quite the opposite).

-->Tech Evangelism

Comment 2

[Chris Lawson (gone)]

Is this still a problem? It appears to be, which means all Mac users are out in the cold as well.

Comment 5

[Karl Dubost💡 :karlcow]

Going to https://mybank.icbc.com.cn/icbc/perbank/index.jsp 
Now displays 对不起，使用我行网银需要Mac OS X 10.6.8及Safari5.1或以上版本，建议您在线升级操作系统或浏览器版本后使用我行网银。 

If I go there with Safari, I get redirected to
https://mybank1.icbc.com.cn/icbc/perbank/index.jsp?injectTranName=&injectTranData=&injectSignStr=

When emulating the User Agent to be Safari, there is no issue on Firefox we can access the site.

The site needs to be contacted and asked if they could send to Firefox the same version they send to Safari users.

Comment 6

[Karl Dubost💡 :karlcow]

Adding yliu for contacting sites in Chinese.

Comment 7

[Yanfang Liu]

ICBC had fixed this bug for Windows before Fx10 release, but the website only compatible with Fx10-Fx21 on windows so for. For Mac, they didn't do any improvement.

we are now keeping in contact with ICBC and waiting for their solution on latest Firefox.

Comment 8

[Mike Taylor [:miketaylr]]

I'm still seeing the ActiveX stuff:

<object id="safeEdit1" codebase="/icbc/newperbank/AxSafeControls.cab#version=1,0,0,26" classid="CLSID:73E4740C-08EB-4133-896B-8D0A7C9EE3CD" style="vertical-align:middle;" nextelemid="verify" onkeyup="getfocus1('KeyPart', event);" onfocus="clearErrTip();detectCapsLock('logonform','safeEdit1',670,140,400,'logontb')" onblur="closeCapTip('logonform','safeEdit1')" width="200" height="24">
<param name="name" value="logonCardPass">
<param name="minLength" value="4">
<param name="maxLength" value="30">
<param name="rule" value="10111">
<param name="UniqueID" value="1491592556782859459">
<param name="IsPassword" value="true">
<param name="prompttext" value="登录密码">
<param name="prompttextcolor" value="102,102,102">
<param name="backgroundcolor" value="255,255,255">
<param name="isbordervisible" value="0">
</object>

Karl, maybe we could ask Mozilla Japan if they have contacts? I don't know big of a change a request like this would be... but apparently this bank is still IE-only.

Comment 9

[Mike Taylor [:miketaylr]]

Oops. Not Japan. >_<

Redirecting question to Eric.

Comment 10

[Eric Tsai (no more review request accepted)]

Password and captcha field still use activeX plugin. I think Bingqing has connection with them?

Comment 11

[Bingqing Li]

We've been contact with them for a really long time, but lack of progress.
The last few years，the desktop online bank is moving over to mobile online bank， So many banks has stopped the maintenance of desktop online bank, especially after stopping the support of NPAPI.

Comment 12

[Bingqing Li]

(In reply to Bingqing Li from comment #11)
> We've been contact with them for a really long time
We've been contacting with them for a really long time. And still try to ping the relevant people of ICBC from time to time.

Comment 13

[Mike Taylor [:miketaylr]]

Thanks everyone for the info -- these types of change requests are not simple (please rewrite your app), so I'm not surprised by the lack of progress here. We can leave it open, but maybe WONTFIX is the better scenario.

Comment 14

[em_te]

Just to add some findings, clicking on the ICBC internet banking login page:

https://mybank.icbc.com.cn/icbc/enperbank/index.jsp

Using Firefox shows a messaging saying:

Only IE7 and above (excluding Edge) or Chrome 38 to 41 or Safari 7 and above are supported

Furthermore I tried using Chrome+Windows and it requires downloading an extension to login:

https://mybank.icbc.com.cn/icbc/newperbank/ICBCChromeExtension.msi

I unzipped it and found that it packages various npChrome DLLs and a WebExtension that loads an npChromeClCache.dll and whose manifest.json file is NOT scoped to ICBC domains, but rather is executed on all websites matching (file|https?)://*/* so not very security conscious.

Comment 15

[Mike Taylor [:miketaylr]]

(In reply to em_te from comment #14)
> I unzipped it and found that it packages various npChrome DLLs and a
> WebExtension that loads an npChromeClCache.dll and whose manifest.json file
> is NOT scoped to ICBC domains, but rather is executed on all websites
> matching (file|https?)://*/* so not very security conscious.

That sounds pretty terrible?

Comment 16

[Sergiu Logigan [:sergiu]]

Due to security issues, we won't fix this.