Authentication details supplied in URL are accessible even when history is disabled and tab has been closed.

RESOLVED INCOMPLETE

Status

()

RESOLVED INCOMPLETE
9 years ago
8 years ago

People

(Reporter: bugzilla-02ul01, Unassigned)

Tracking

3.5 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6

In both normal and private browsing, even if history is disabled, if you access a URL like the following:

http://test:login@www.example.com/

And then close that tab, it is still possible to access the supplied credentials by undoing the tab close and pressing ESC in the address bar.

This is probably only a problem in a very tiny number of situations (I note that almost no sites authenticate this way any more except for FTP servers), but it just seems like the 'no history' aspect could be more complete.

Reproducible: Always

Steps to Reproduce:
1. Open http://username:password@example.com
2. Close that tab
3. Restore that tab (CTRL+SHIFT+T)
4. Click in Address Bar and hit Escape key
Actual Results:  
As expected, once the username/pass have been transmitted to the website, they are no longer present in the address bar (changes to http://example.com/ only).  However, even if the user browses to other websites in that tab, then closes the tab, someone with physical access to the computer can still restore the tab, browse back through the visited pages, press Escape in the address bar on any site suspected of requiring this sort of login, and retrieve the credentials.

Expected Results:  
Passwords probably shouldn't be shown to the user except when they are being typed in the first time.

I realize this is a piddly minor thing to file a bug about, but the other 3 things I was going to report have already been filed  :P

Comment 1

8 years ago
Reporter -> Are you still experiencing this issue with the latest version of Firefox 3.6.13? Does the issue occur with the latest nightly? http://nightly.mozilla.org/
Version: unspecified → 3.5 Branch

Comment 2

8 years ago
Closing bug as Incomplete - if you are still experiencing this issue or have more information to provide feel free to post back here and we can re-open the bug. You can also get assistance by visiting the Firefox help site -> http://support.mozilla.com/en-US/kb/Ask+a+question
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.