445395 - No Preference To Disable Security Warning Caused By Autosubmit From A Secure Form to Insecure Page

Status: RESOLVED DUPLICATE of bug 436200

(Firefox :: Security, defect)

Description

[Peter Gerdes]

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0

Some websites (like the login for my school's proxy server) are designed as follows.  A secure form is presented to allow you to enter your credentials and the data from this form is submitted securely as well.  However, the https page returned after the form submission then uses javascript to automatically submit (non-sensitive) information to an http URL.  This results in an annoying modal dialog that pops up each time warning you that "Although this page is encrypted, the information you have entered..."  

This warning is issued whenever information is submitted from a form on a secure page to an insecure location no matter what the preferences or prefs.js say or what is on the form.  However, the particular problem cases tend to occur when the form being submitted insecurely from a secure page is an invisible autosubmitted form.  Not only is it annoying but telling the user the data they submitted may be vulnerable is confusing and useless when they never entered any data on the form (and may falsely suggest it is the data that they securely submitted that is being transmitted in the clear).  

I realize this kind of bug *seems* like it is a minor annoyance that is worth the security benefits of warning people about insecure forms but for common cases like this I would argue that the harm of encouraging people to ignore the warning and hit enter results in worse security as well as annoyance.  In my view the proper behavior should be as follows.

1) There should be a control to disable the warnings that result from an insecure form submission on a secure page.  Ideally this would be a per-domain setting but at the very least there should be a setting in about:config to change this globally.

2) In situations where the form is hidden or the user has otherwise not entered any information into the page the warning about submitting unencrypted information should be eliminated.  The warning offers no information about what data has been submited so the user can't make an informed deciscion and firefox can't protect against web designers who go out of their way to retransmit secure information in plaintext, e.g., web designers can send information from a secure form via an insecure XMLHttpRequest, save it into a cookie for later transmission as plaintext, or encode it into the URLs offered to the user.  Hence this behavior would not yield increased security risks while cutting down on annoying unnecessary modal warnings would be a security gain.

2') If the security warning is kept for hidden/unmodified forms it should at least indicate that an INVISIBLE form was submitted so it doesn't confuse the user into thinking the information they previously submitted securely is going to be sent unencrypted.  Ideally the warning would also tell the user what information is being sent unencrypted as without this it's useless.

3) In situations where the warning isn't automatically disabled (say because the user entered information on the form) the modal dialog should offer the user the option of suppressing it from now on for that page.  The user should get to decide when their data is sensitive enough to require a warning.

Reproducible: Always

Steps to Reproduce:
1. Turn off all warning options in preferences change all security.warn settings in about:config to off (happens either way but this illustrates the point).
2.Navigate to a webpage that autosubmits cleartext data from a secure page.
3.Receive confusing warning that can't be disabled.

Actual Results:  
The following warning is issued in a modal dialog.

     Although this page is encrypted, the information you have
     entered is to be sent over an unencrypted connection and could
     easily be read by a third party.

     Are you sure you want to continue sending this information?



Bug 410340 may be describing the same situation but it's not descriptive enough for this to be clear.

Bug 377382 describes a related problem that results from these modal dialogs being generated by autosubmit events.  

Note this is not the same issue as the warning generated when submitting to a javascript URL (URN? URI?)