Closed Bug 305009 Opened 19 years ago Closed 19 years ago

Password manager should not distinguish between www.example.com and example.com, http://example.com and https://example.com

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 92966

People

(Reporter: samjnaa, Assigned: dveditz)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050813 SeaMonkey/1.0a
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050813 SeaMonkey/1.0a

Currently the Password Manager distinguishes between www.foo.org and foo.org,
http://foo.org and https://foo.org. This should not occur. Logically, all
foo.org sites are equivalent to www.foo.org (though I've seen some without this,
for some reason unknown to me) and the same site http://foo.org is with SSL
https://foo.org. There is no reason for Password Manager to distinguish between
the above pairs.

Reproducible: Always

Steps to Reproduce:
A
1. Visit www.foo.org and enter a password.
2. Pwd Mgr asks to save, say yes.
3. Visit foo.org.

B
1. Visit http://foo.org and enter a password.
2. Pwd Mgr asks to save, say yes.
3. Visit https://foo.org.
Actual Results:  
Pwd Mgr did not detect that it was the same site, and did not autofill the
password. In fact, when I enter the password again, and hit "login" (or
whatever) then Pwd Mgr again asks to save the password and stores it as a
separate entry.

Expected Results:  
Pwd Mgr should have "understood", i.e. its site identification function should
have detected foo.org and www.foo.org to be the same and http://foo.org and
https://foo.org to be the same, and hence load the previously stored passwords
for these websites.

Note:

foo.org is not the same as bar.foo.org, though it is generally the same as
www.foo.org. Hence the password for foo.org should not be autofilled for
bar.foo.org, but only for www.foo.org.
There is no requirement that www.example.com and example.com be the same site,
or that SSL sites (https) be the same as http ones.  They may commonly be the
same, but there is no way for Mozilla to know.  Assuming otherwise would be a
security hole.

Side note: changing references to 'example.com' instead of 'foo.org'.  Don't
make up supposedly fake domain names--chances are they exist.  example.com is
reserved in the domain name system for this purpose.

*** This bug has been marked as a duplicate of 92966 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Summary: Password manager should not distinguish between www.foo.org and foo.org, http://foo.org and https://foo.org → Password manager should not distinguish between www.example.com and example.com, http://example.com and https://example.com
You need to log in before you can comment on or make changes to this bug.