User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20051004 Firefox/1.0.4 (Debian package 1.0.4-2sarge5-rex1) If you log in using the HTTP-Request method, the "user:pwd@" part is hidden in the navigation bar. But if you look at the properties of an element within the site (e.g. an <img>) you see in the location field the password in clear text. This is very serious in case you log in to a page and then let someone else just navigate a bit. Reproducible: Always Steps to Reproduce: 1. Go to any page with HTTP-Request 2. Click with right on a picture, select "properties" 3. The field "location" shows the full URL: http://user:email@example.com/test.png Actual Results: Nothing, I hope! Expected Results: Not show the password at all. The location should be sth. like http://www.example.com/test.png
Update: This bug only appears, if you log in by explicitly typing the domain, e.g. typing http://user:firstname.lastname@example.org, to the location bar.
Known issue, there must be a dupe somewhere
sorry, not networking -- this could be resolved in the various properties dialogs by using FixupURI. Back to Firefox UI
Confirmed using Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051026 Firefox/1.5. Is there a general solution that doesn't require remembering to use FixupURI everywhere URLs are displayed? What would break if the URL of the loaded page didn't have username:password in it? What else does FixupURI do?
Still appears present in Firefox 4 betas.