401 authentication window does not mention the used protocol.

RESOLVED DUPLICATE of bug 38019

Status

()

Firefox
Security
RESOLVED DUPLICATE of bug 38019
12 years ago
12 years ago

People

(Reporter: Vincent Deffontaines, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051224 Debian/1.5.dfsg-2bpo1 Firefox/1.5
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051224 Debian/1.5.dfsg-2bpo1 Firefox/1.5

When requesting authentication on receiving a 401 from a server, the popup window does not mention the protocol in use. This is confusing, since in some cases a redirection can have made the protocol change without the user noticing.

As an example, the provided URL http://mail.inl.fr/ is plain HTTP. The server answers first with a redirection to HTTPS, which in turn requests a 401 auth.
The client then gets prompted for a login/password for "mail.inl.fr", with no mention of the protocol. Even the address bar still (wrongly?) mentions HTTP at that point.
I suggest the protocol be mentionned at that place, and therefore the auth would be prompted for "https://mail.inl.fr", which sounds more complete, and leaves no ambiguity. Or, at least the address bar protocol display should be updated before prompting the user for auth.

This certainly has some security related consequences.

If I recall correctly, firefox 1.0.X had the desired behaviour.


Reproducible: Always

Steps to Reproduce:
1. Go to http://mail.inl.fr/
2. Look at the auth prompt. It does not mention a protocol.
3. Look at the URL bar. It says "http://mail.inl.fr" which is wrong. You were redirected to HTTPS before the auth prompt.

Comment 1

12 years ago

*** This bug has been marked as a duplicate of 38019 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.