Closed
Bug 320851
Opened 19 years ago
Closed 19 years ago
http authentication (401) prompt no longer displays scheme
Categories
(Core :: Networking: HTTP, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.8.1
People
(Reporter: nelson, Assigned: Gavin)
References
()
Details
(Keywords: fixed1.8.1, regression, verified1.8.0.2, Whiteboard: [sg:spoof] Allows MITM to spoof https password prompt [rft-dl])
Attachments
(1 file, 1 obsolete file)
1.46 KB,
patch
|
darin.moz
:
review+
darin.moz
:
superreview+
darin.moz
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.2+
|
Details | Diff | Splinter Review |
In news://news.mozilla.org:119/cBDmf.30117$dO2.2607@newssvr29.news.prodigy.net
Jack <jhammer.noemail@yahoo.com> wrote:
> When I got the popup window due to 401 in 1.0.x, it used to indicate whether
> it was http versus https. 1.5 does not seem to indicate this as 1.0.x did.
> This is a problem because one can't tell whether redirection occured or not
> and so one can't be sure that one is sending the user name and password over
> a secure channel.
> Is there a settings to enable display of the protocol (http v. https) as well?
I think this is a legitimate concern. If there is no way to determine http/https, I think that is a security regression.
Comment 1•19 years ago
|
||
Assignee | ||
Comment 2•19 years ago
|
||
Confirmed. Looks like it was removed as part of bug 85484, without anyone noticing.
http://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=nsHttpChannel.cpp&branch=1.214&root=/cvsroot&subdir=mozilla/netwerk/protocol/http/src&command=DIFF_FRAMESET&rev1=1.213&rev2=1.214
Assignee: nobody → darin
Status: UNCONFIRMED → NEW
Component: General → Networking: HTTP
Ever confirmed: true
OS: Linux → All
Product: Firefox → Core
QA Contact: general → networking.http
Hardware: PC → All
Version: 1.5 Branch → 1.8 Branch
Assignee | ||
Updated•19 years ago
|
Summary: 401 user authentication dialog does not indicate protocol in 1.5 → http authentication (401) prompt no longer displays scheme
Assignee | ||
Updated•19 years ago
|
Keywords: regression
Updated•19 years ago
|
Whiteboard: [sg:spoof] Allows MITM to spoof https prompt
Updated•19 years ago
|
Whiteboard: [sg:spoof] Allows MITM to spoof https prompt → [sg:spoof] Allows MITM to spoof https password prompt
Assignee | ||
Comment 3•19 years ago
|
||
Boris, Darin, if either of you want to r/sr, that'd be great.
Assignee: darin → gavin.sharp
Status: NEW → ASSIGNED
Attachment #207489 -
Flags: superreview?(darin)
Attachment #207489 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 4•19 years ago
|
||
Might be a good candidate for 1.8.0.1, patch is simple.
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Target Milestone: --- → mozilla1.9alpha
Comment 5•19 years ago
|
||
Comment on attachment 207489 [details] [diff] [review]
patch
It might be good to incorporate the assignment of |text| into the same conditional, so you aren't testing |proxyAuth| twice.
Also, please note that indentation in this file is four whitespaces.
Attachment #207489 -
Flags: superreview?(darin) → superreview-
Assignee | ||
Comment 6•19 years ago
|
||
Comments addressed.
Attachment #207489 -
Attachment is obsolete: true
Attachment #207500 -
Flags: superreview?(darin)
Attachment #207500 -
Flags: review?(darin)
Attachment #207489 -
Flags: review?(bzbarsky)
Comment 7•19 years ago
|
||
need trunk-baked patch for branch
Flags: blocking1.8.0.2?
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1-
Comment 8•19 years ago
|
||
Comment on attachment 207500 [details] [diff] [review]
patch v2
r+sr=darin
Attachment #207500 -
Flags: superreview?(darin)
Attachment #207500 -
Flags: superreview+
Attachment #207500 -
Flags: review?(darin)
Attachment #207500 -
Flags: review+
Assignee | ||
Comment 9•19 years ago
|
||
Checked in on the trunk.
mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.265;
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•19 years ago
|
Target Milestone: mozilla1.9alpha → mozilla1.8.1
Assignee | ||
Updated•19 years ago
|
Attachment #207500 -
Flags: branch-1.8.1?(darin)
Attachment #207500 -
Flags: approval1.8.0.2?
Comment 10•19 years ago
|
||
Comment on attachment 207500 [details] [diff] [review]
patch v2
a=darin
Attachment #207500 -
Flags: branch-1.8.1?(darin) → branch-1.8.1+
Assignee | ||
Comment 11•19 years ago
|
||
Checked in on the 1.8 branch.
mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.256.2.6;
Flags: blocking1.8.1?
Keywords: fixed1.8.1
Updated•19 years ago
|
Flags: blocking1.8.0.2? → blocking1.8.0.2+
Comment 12•19 years ago
|
||
Comment on attachment 207500 [details] [diff] [review]
patch v2
approving for 1.8.0 branch, a=dveditz for drivers
Attachment #207500 -
Flags: approval1.8.0.2? → approval1.8.0.2+
Assignee | ||
Comment 13•19 years ago
|
||
Checked in on the 1.8.0 branch.
mozilla/netwerk/protocol/http/src/nsHttpChannel.cpp; new revision: 1.256.2.4.2.1;
Keywords: fixed1.8.0.2
Updated•19 years ago
|
Whiteboard: [sg:spoof] Allows MITM to spoof https password prompt → [sg:spoof] Allows MITM to spoof https password prompt [rft-dl]
Assignee | ||
Comment 14•19 years ago
|
||
http://gavinsharp.com/secret can be used to test this.
Comment 15•19 years ago
|
||
v.fixed on 1.8.0 branch with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060308 Firefox/1.5.0.2, auth prompt for gavin's page shows the scheme + host.
Keywords: fixed1.8.0.2 → verified1.8.0.2
You need to log in
before you can comment on or make changes to this bug.
Description
•