Closed Bug 373144 Opened 18 years ago Closed 18 years ago

PM Should Validate Action Attribute Before Saving

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: shinyairplane, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

From Bug #360493, there remains a concern that matching the form's action attribute is not sufficient if it hasn't been validated in the first place, when the action realm is saved in signons2.txt.

Reproducible: Always
(In reply to comment #0)
> From Bug #360493, there remains a concern that matching the form's action
> attribute is not sufficient if it hasn't been validated in the first place,
> when the action realm is saved in signons2.txt.

What does "validated in the first place" mean? What form of validation do you think should occur?
Since FF currently doesn't inform the user about the form action, the PM operates under the assumption that the user is always at a legitimate form when they type in their password manually.  PM prompts to save the password, and if the user is at a phishing site their password can be transmitted and replayed even though the password is not being sent to the intended server.

In 360493 I suggested using a unified Same Origin Rule to validate the website www.domain.com trying to post passwords to itself or to domain.com, but warning or displaying some type of feedback if the user tries to save a new password with an action of evil.domain.com.

I was also going to add a separate bug about the need for programmatic feedback to help the user when filling new forms that haven't been saved yet.  Would you prefer to combine the two issues?
Blocks: 373140
(In reply to comment #2)
> Since FF currently doesn't inform the user about the form action

It's not going to do this, and we're already explained in bug 360493 comment 303 onwards.

> if the user is at a phishing site

If the user has typed in their password at a phishing site, it's already game over. The site can steal the password before they even click a submit button.

> In 360493 I suggested using a unified Same Origin Rule to validate the website
> www.domain.com trying to post passwords to itself or to domain.com, but warning
> or displaying some type of feedback if the user tries to save a new password
> with an action of evil.domain.com.

All this would do is result in presenting the user with confusing popup dialogs, which users have been well-trained to react to by automatically clicking "ok".
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.