Deal with removal of SSL-related warning prompts

RESOLVED FIXED in seamonkey2.16

Status

SeaMonkey
Security
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: neil@parkwaycc.co.uk, Unassigned)

Tracking

unspecified
seamonkey2.16
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Bug #799009 removed the following prompts:

1. Warning, you are about to enter a secure site
2. Warning, you are about to leave a secure site
3. Warning, you are about to submit a form to an insecure site, when you are already on an insecure site.
4. Warning, you are viewing a site with mixed content.
(Reporter)

Comment 1

5 years ago
Created attachment 680485 [details] [diff] [review]
Insecure form submission prompt, suite glue version
(Reporter)

Comment 2

5 years ago
Created attachment 680488 [details] [diff] [review]
Insecure form submission prompt, notificationbox version
(Reporter)

Comment 3

5 years ago
Created attachment 680870 [details] [diff] [review]
Possible patch

(Includes the insecure form submission prompt, notificationbox version)

This is still an alert but I was thinking that I could convert it into a notification in a followup bug.
Attachment #680870 - Flags: feedback?(philip.chee)
Attachment #680870 - Flags: feedback?(iann_bugzilla)

Comment 4

5 years ago
Comment on attachment 680870 [details] [diff] [review]
Possible patch

> +      <method name="notify">
> +        <parameter name="aFormElement"/>
> +        <parameter name="aWindow"/>
> +        <parameter name="aURI"/>
How about aActionURI ?

(tested on https://bug90392.bugzilla.mozilla.org/attachment.cgi?id=43175)

> +            if (!aFormElement || ! aWindow || !aURI)
Extraneous space.

> +            try {
> +              uri = aFormElement.nodePrincipal.URI;
> +            } catch (e) {}
When does this throw?

WFM so f=me
Attachment #680870 - Flags: feedback?(philip.chee) → feedback+
(Reporter)

Comment 5

5 years ago
(In reply to Philip Chee from comment #4)
> (From update of attachment 680870 [details] [diff] [review])
> > +            try {
> > +              uri = aFormElement.nodePrincipal.URI;
> > +            } catch (e) {}
> When does this throw?
I was just porting the PSM code, it checks the nsresult.

Comment 6

5 years ago
Bug 799009 says that the warning about leaving a secure site (#2) is "outdated".

I'm not convinced this is the case. Of course, this warning was effectively useless, since it occurred at a point where the action could no longer be prevented. As such there's no point keeping it indeed. However, having the ability to stop that action would be good (bug 289847).

There are sites out there that pass sensitive information (or authentication tokens) from an HTTPS page to an HTTP page (possibly relying on a subsequent automatic redirection to HTTPS), sometimes in an explicit link, sometimes just by changing window.location.href via JavaScript. Such behaviour should be warned against, and should also be preventable by the user.

Without any browser warnings, and more particularly when automatic redirections from HTTP to HTTPS are present on the site, information leakage can go completely unnoticed (including for the site developer).

Updated

5 years ago
Attachment #680870 - Flags: feedback?(iann_bugzilla) → feedback+
(Reporter)

Comment 7

5 years ago
Comment on attachment 680870 [details] [diff] [review]
Possible patch

Bah, why didn't I just request r? in the first place...

Oh yeah, in case you wanted to go with attachment 680485 [details] [diff] [review].

I assume from the f+ that you are happy with this approach.
Attachment #680870 - Flags: review?(iann_bugzilla)

Updated

5 years ago
Attachment #680870 - Flags: review?(iann_bugzilla) → review+

Comment 8

5 years ago
(In reply to neil@parkwaycc.co.uk from comment #7)
> Comment on attachment 680870 [details] [diff] [review]
> Possible patch
> 
> Bah, why didn't I just request r? in the first place...
> 
> Oh yeah, in case you wanted to go with attachment 680485 [details] [diff] [review]
> [review].
> 
> I assume from the f+ that you are happy with this approach.

r=me with the already mentioned nits fixed.

Updated

5 years ago
Depends on: 813427
(Reporter)

Comment 9

5 years ago
Pushed comm-central changeset 7a8e57d2fbc2.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → seamonkey2.16
(Reporter)

Updated

4 years ago
Blocks: 817441
You need to log in before you can comment on or make changes to this bug.