Open Bug 656343 Opened 13 years ago Updated 2 years ago

After redirect to page requiring HTTP or FTP basic/username/password auth, the redirect destination is not in the address bar

Categories

(Core :: Networking: HTTP, defect, P3)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Linux
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox5 - ---

People

(Reporter: briansmith, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: sec-moderate, Whiteboard: [sg:moderate spoof][necko-backlog])

Attachments

(1 file)

Screenshot of Firefox 88.0
30.31 KB, image/png
Details 
+++ This bug was initially created as a clone of Bug #623155 +++

I saw this when sent a tinyurl.com link that redirected to https://intranet.mozilla.org. The tinyurl.com URL was in the address bar when the HTTP auth dialog popped up. If an attacker could cause a user-trusted website to redirect to their own website, then they could exploit this to steal credentials.

This is similar to bug 623155 and may be caused by bug 311007.
Unrealistic we'd get a fix for Firefox 5 here.
tracking-firefox5: ?-
Whiteboard: [sg:moderate spoof]
Depends on: 311007
Unlike bug 623155, this is not a front-end bug. Mostly http channel, partly docshell and else.

First of all, we should decide which URI the URL bar should display.
(In reply to O. Atsushi (Torisugari) from comment #2)
> First of all, we should decide which URI the URL bar should display.

The URL of the site that's producing the auth prompt, presumably? What other URI would make sense?
The auth prompt is not always from main document. For example, an IMG tag

  <img src="http://image.example.com/icon.png">

requires <image.example.com>'s user/password, but the document URI may be different, like e.g. "http://www.example.com/index.html". Probably the loadgroup's chain will tell us the "main" document's URI, but sometimes that is also confusing to the user.

Anyway, when the channel is asking password to the user, docsehll should not fire onLocationChange, in my opinion. But maybe onStateChange is OK, if we define a new state flag, say, STATE_PENDING_AUTH_INPUT or something.

Alternatively, what makes sense I think is blank bar temporally.
(In reply to O. Atsushi (Torisugari) from comment #4)
> The auth prompt is not always from main document.

Well, that's a separate issue (related to bug 647010). For the purposes of this bug, we should just be gaining parity with the existing auth prompting cases (the URL of the page containing the resource that causes the prompt should be displayed).
This may be related or have similar solution to bug 528988.
See Also: → 528988
(In reply to Gavin Sharp (use gavin@gavinsharp.com for email) from comment #5)
> (the URL of the page containing the resource that causes the prompt should
> be displayed).

"Resource's URL" (nsIChannnel::URI) is not always what we should display. For example, a document may want to change URLbar's string per history.pushState() etc. In such a case, that call may have been done before sub-channles's auth request. That's why doc-loader is hard to fire onLocationChange on a auth request. Sometimes we want to overwrite the URLbar with the resource's URI, not always. Though I'm not too sure what bug 528988 is like...

The candidates are
1. the main resource's URI only before its "onLocationChange".
2. the main resource's URI only after redirect and before onLocationChange.
I don't really understand what the complication is. We need to be firing onLocationChange (this bug)/onSecurityChange (bug 528988) before we display any auth prompts. Why is that difficult?
If on a auth request we blindly call onLocationChange (which is based on the resource URI), such a script does not work as expected:

<script>
function myOnLoadListener() {
  // Now the URLbar is <http://www.example.com/foo.html>

  // This will fire <http://www.example.com/bar.html>'s onLocationChange.
  history.pushState({}, "Bar!!", "bar.html");

  // Now, the URLbar is <http://www.example.com/bar.html>

  var img = new Image();
  img.src = "http://auth.example.com/icon.png"; //require http-auth.

  // after this auth prompt, the URLbar goes back to
  // <http://www.example.com/foo.html> again...?
}
</script>

On this auth prompt, we should not call onLocationChange. This script is very simple, but on a actual document, <img> tags are loaded asynchronously. So one image may loaded before main onLocationChange and another may loaded after main onLocationChange. Therefore we should manage whether or not we have already fired onLocationChange, more strictly than the current implementation. Well, as long as we really want to fire onLocationChange.
Let me rephrase:
We need to be firing onLocationChange (this bug)/onSecurityChange (bug 528988) before we display any auth prompts for the top-level document.
(In reply to Gavin Sharp (use gavin@gavinsharp.com for email) from comment #10)
> Let me rephrase:
> We need to be firing onLocationChange (this bug)/onSecurityChange (bug
> 528988) before we display any auth prompts for the top-level document.

I found another problem. If the size of the top-level document is large enough, probably the user can push the STOP button after its auth dialog. In this case, the wrong URI remains in the URLbar.
(In reply to O. Atsushi (Torisugari) from comment #11)
> I found another problem. If the size of the top-level document is large
> enough, probably the user can push the STOP button after its auth dialog. In
> this case, the wrong URI remains in the URLbar.

Why is that the wrong URI? The URI will still correctly reflect the partially loaded page.
> the partially loaded page.

That is correct in terms of network, but not correct in terms of content document. Until the true-onLocationChange is called, all the navigation UIs of content area, including scrolling and another link-clicking, serve for the previous document. If the user pushes the STOP button between normal link-click (same target window) and true-onLocationChange, the previous document is alive and the user can continue web navigation without session history. If we have fired fake-onLocationChange in advance, the previous document's URLbar is wrong.

PoC:

1. Load this page with Firefox, as you are doing now.
2. Click an auth link:  https://intranet.mozilla.org/
   (even if you don't know the password).
3. In the auth dialog, set focus to the OK button with [TAB] key.
4. Hit [Enter] key.
5. Hit [Escape] key, very quickly.
6. Confirm you can continue this page's web navigation.

What this bug is requesting is to fire fake-onLocationChange between step 2. and step 3. As a result, after step 6., this page's URLbar will be <https://intranet.mozilla.org/>.
Therefore maybe we should display pseudo content (an error page will do) to enable the session history (and bfcache) to hook onto, before prompting http-auth dialog. Then the content will fire onLocationChange and onSecurityChange automatically.
Honza - can you lend a hand here?
Assignee: nobody → honzab.moz
Idea:

What about to add the information about the URL (and its SSL info..) that requests the auth info directly into the auth dialog?  

OS X, for instance, shows the image path and name with all the execution tree when asking for the root password.  This tells the user exactly where from the password request comes from.

As the dialog comes from chrome, it will be automatically trusted by users.

This fixes this bug, bug 528988 and can make bug 647010 invalid.

I think any plays with onStateChange and onLocationChange could bring just more (security) harm...

Opinions?
I like your idea.

However, it does not seem easy to implement it, because we don't have (yet) clear definition of "Requester/Requestee", and thus we don't have a useful API to tell who is the requester. For example, bug 709892 implies we should track the caller of window.open(). And I'm not sure how many ways to request a document transition. First of all, we need a complete list of manners of requesting a URL (JS redirection and NPN_GetURL(...) etc.).
For me the request is the channel, i.e. the URL.  It might not be perfect and I don't think it would be worse then now, but at least would fix this bug.

Technically, every password request is bound to at least one channel and is easily reachable.

Could somehow principal be used as an indication?
(In reply to Honza Bambas (:mayhemer) from comment #18)
> For me the request is the channel, i.e. the URL.  It might not be perfect
> and I don't think it would be worse then now, but at least would fix this
> bug.
> 
> Technically, every password request is bound to at least one channel and is
> easily reachable.

Yes, and the current password prompt also shows the URL.
Moving this bug to Networking: HTTP, cause that seems closer to what this really is about than core security.
Component: Security → Networking: HTTP
Blocks: 873810
Group: network-core-security
Group: network-core-security
Filed this 3.5 years ago, and it's rated just sec-moderate. Is it OK to open this up?
Flags: needinfo?(dveditz)
Group: core-security
Flags: needinfo?(dveditz)
Assignee: honzab.moz → nobody
Whiteboard: [sg:moderate spoof] → [sg:moderate spoof][necko-backlog]
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
Summary: After redirect to page requiring HTTP auth, the redirect destination is not in the address bar → After redirect to page requiring HTTP or FTP basic/username/password auth, the redirect destination is not in the address bar
Severity: normal → S3

The severity field for this bug is relatively low, S3. However, the bug has 9 duplicates.
:kershaw, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(kershaw)

The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.

Flags: needinfo?(kershaw)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: