Forget About this Site should clear any HTTP-authenticated sessions

NEW
Unassigned

Status

()

Toolkit
Forget About Site
9 years ago
3 years ago

People

(Reporter: beltzner, Unassigned)

Tracking

(Depends on: 1 bug)

Trunk
Future
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 obsolete attachment)

The "Forget About this Site" function should also clear any HTTP-authenticated sessions, much like "Authenticated Sessions" from Clear Private Data used to do.

Updated

9 years ago
Assignee: nobody → sdwilsh
Whiteboard: [needs patch]
To be clear, it's OK to clear all authenticated sessions, right?  We don't have an API to clear just for a given host (and it's subdomains).
For what it's worth, it's doable to add an API to "Forget about this site", but it would be O(N) for the hosts stored (we'd have to iterate through all authenticated sessions).  Clearly, that's not in the 1.9.1 timeframe.  I'm guessing for 1.9.1 we want to clear all, and have follow-ups for the rest.
Created attachment 348260 [details] [diff] [review]
v1.0
Attachment #348260 - Flags: ui-review?(beltzner)
Attachment #348260 - Flags: review?(gavin.sharp)

Updated

9 years ago
Whiteboard: [needs patch] → [has patch][needs review gavin][needs ui-r beltzner]
Requesting blocking because this is a hole in our privacy APIs that makes things not so private.
Flags: blocking-firefox3.1?
Target Milestone: --- → Firefox 3.1
(In reply to comment #2)
> For what it's worth, it's doable to add an API to "Forget about this site", but
> it would be O(N) for the hosts stored (we'd have to iterate through all
> authenticated sessions).  Clearly, that's not in the 1.9.1 timeframe.

Why clearly? Seems pretty doable to me, and O(N) is hardly a problem. Clearing all logins whenever you clear the history for a given site is rather sucky.
(In reply to comment #5)
> (In reply to comment #2)
> > For what it's worth, it's doable to add an API to "Forget about this site", but
> > it would be O(N) for the hosts stored (we'd have to iterate through all
> > authenticated sessions).  Clearly, that's not in the 1.9.1 timeframe.
> Why clearly? Seems pretty doable to me, and O(N) is hardly a problem. Clearing
> all logins whenever you clear the history for a given site is rather sucky.
Because we are feature frozen at this point, so we shouldn't be making API changes, even if they are additive?  It's not like other parts of this API don't do the same thing too.
Weighing all three options (don't fix this bug, fix this bug with that patch, fix this bug with proper API), the latter seems vastly preferable, and I don't think "feature freeze" should prevent us from considering it. Not sure what you mean by "other parts of this API.
Is this a necko API that needs fixing here?  I can fix as needed.... ;)
(In reply to comment #8)
> Is this a necko API that needs fixing here?  I can fix as needed.... ;)
I mean, I could fix it too - it's not hard to iterate through a hash table.  The API in question is nsIHttpAuthCache.
Yeah.  I think we should just change that if we're trying to fix it.  That doesn't seem like a big amount of code by any means, and "feature freeze" is more about not adding anything with regression potential that's not fixing an actual bug.  If the changes to nsIHttpAuthCache end up with regression potential, then we can worry about them.
Comment on attachment 348260 [details] [diff] [review]
v1.0

Forgetting all authenticated sessions when asking to forget one particular site is going to lead to some strange and confusing behaviour for users, and likely some odd bug reports. I'd recommend we actually fix this correctly.
Attachment #348260 - Flags: ui-review?(beltzner) → ui-review-
Also, I don't think that this blocks the final release of Firefox 3.1; while comment 4 is true, it's also true that pretty much the only way to reveal that there's still an HTTP-Authenticated session is to revisit the site (or use some advanced sniffing tools). This is a good polish bug for the feature, but in that case we should fix it right.
Flags: wanted-firefox3.1+
Flags: blocking-firefox3.1?
Flags: blocking-firefox3.1-
Attachment #348260 - Attachment is obsolete: true
Attachment #348260 - Flags: review?(gavin.sharp)
Whiteboard: [has patch][needs review gavin][needs ui-r beltzner]
Boris - I'm thinking of adding two api's here.  One returns an nsISimpleEnumerator that stores the interfaces (I think I'd need to make a new interface for that too), and another to remove a specific entry.  Sound good?
Seems ok.  I guess the things in the enumerator will say what host they're for or whatnot?
Yeah, I think so.  I'll know for sure once I start implementing it.

Updated

9 years ago
Depends on: 465368
Target Milestone: Firefox 3.1 → Firefox 3.5

Updated

8 years ago
Assignee: sdwilsh → nobody
Target Milestone: Firefox 3.5 → Future
Component: General → Forget About Site
Flags: wanted-firefox3.5+
Flags: blocking-firefox3.5-
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.