Closed Bug 728329 Opened 13 years ago Closed 13 years ago

Implement a clean way for proxies and captive portals to point the browser to an https auth page

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
10 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 728658

People

(Reporter: Nicolas.Mailhot, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.1) Gecko/20100101 Firefox/10.0.1
Build ID: 20120209081558

Steps to reproduce:

Enterprise proxies and hotspot captive portals need to point browsers to an authentication page, when the user is unknown or his auth has expired mid-session

http 407 error is completely useless for this as :
1. there is no way to point the browser to a full page with user-friendly explanations (captive portal requirement)
2. there is no way to perform secure authentication (most of the new tablet web clients only do BASIC auth, and BASIC auth over http is a massive fail on a large not-completely-secured internal network)

Therefore proxy and captive portal vendors have developed over time an array of browser redirection techniques, that range from redirects to lying to the browser or performing MiM and DPI attacks
(wikipedia has some sad history here https://en.wikipedia.org/wiki/Captive_portal)

The less invasive method used to be redirects but that is no longer operating as browsers now refuse redirecting https, and there is no way to prevent users to access an https page just as the wrong time

So the current methods all fail one way or the other resulting in huge user frustration and anger trying to provide auth to the filtering equipment

But this equipment is not interested in the https session content browsers refuse to redirect now, it just wants the browser to display a page where user can enter their auth to continue browsing

Firefox should define a way for captive portals and proxies to tell it cleanly: "your auth is not valid anymore, and here is the https page where you can auth again", show this page to the user when notified this way, and return to the page and session the user was browsing in once the auth is done

This probably involves extending error 407 or defining a new one

Internet Explorer does not need this as badly as Firefox since Microsoft is happy to tie everything to Active Directory in corporations and does not seem to bother about hotspots much.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.