Image properties show used password in clear text

Assigned to



12 years ago
7 years ago


(Reporter: Manuel Strehl, Assigned: dveditz)


(Blocks: 1 bug, {privacy})


Firefox Tracking Flags

(Not tracked)





12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1)

If you log in using the HTTP-Request method, the "user:pwd@" part is hidden in the navigation bar. But if you look at the properties of an element within the site (e.g. an <img>) you see in the location field the password in clear text.

This is very serious in case you log in to a page and then let someone else just navigate a bit.

Reproducible: Always

Steps to Reproduce:
1. Go to any page with HTTP-Request
2. Click with right on a picture, select "properties"
3. The field "location" shows the full URL:

Actual Results:  
Nothing, I hope!

Expected Results:  
Not show the password at all. The location should be sth. like

Comment 1

12 years ago

This bug only appears, if you log in by explicitly typing the domain, e.g. typing, to the location bar.
Known issue, there must be a dupe somewhere
Assignee: nobody → darin
Group: security
Component: Security → Networking: HTTP
Ever confirmed: true
Keywords: privacy
Product: Firefox → Core
QA Contact: firefox → networking.http
Whiteboard: DUPEME
Version: unspecified → Trunk
sorry, not networking -- this could be resolved in the various properties dialogs by using FixupURI. Back to Firefox UI
Assignee: darin → dveditz
Blocks: 130327
Component: Networking: HTTP → Security
Product: Core → Firefox
Whiteboard: DUPEME
OS: Linux → All
QA Contact: networking.http → firefox

Comment 4

12 years ago
Confirmed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051026 Firefox/1.5.

Is there a general solution that doesn't require remembering to use FixupURI everywhere URLs are displayed?  What would break if the URL of the loaded page didn't have username:password in it?  What else does FixupURI do?

Comment 5

7 years ago
Still appears present in Firefox 4 betas.
You need to log in before you can comment on or make changes to this bug.