Steps to reproduce: 1. start the B2G contacts app (person icon in the bottom bar) 2. tap the gear in the upper right (Settings) 3. tap "Facebook" to import facebook contacts Actual results: readonly URL bar briefly shows https://m.facebook.com/ URL, which then changes (redirects?) to an http://m.facebook.com/ URL, which prompts for my username and password Expected results: I should be asked for my facebook username and password only via https, not http.
Not sure if this is us or them.
bug 835983 seemed to say that the page itself is loaded securely, but the subresources weren't. This one says there's now an insecure redirect. Probably the same issue (and on Facebook's side) but maybe not quite? Either way passwords can be stolen by a network MITM (e.g. Firesheep).
I don't see this redirect when loading https://m.facebook.com in Firefox for Android with the default UA or Firefox OS UA. I also don't see a redirect happening when I execute curl -LA "Mozilla/5.0 (Mobile; rv:21.0) Gecko/21.0 Firefox/21.0" https://m.facebook.com This makes me think the issue is on our end. Or, perhaps there was an issue 5 days ago but Facebook resolved it. Can you confirm that this is still an issue with the contacts app?
So I'd note that once I entered my username and password once (over wifi that I trusted), I never saw it again. So my suspicion is that there's no redirect to http: once there's a cookie, which would mean reproducing the bug requires flashing the phone clean. I can try that tomorrow if needed, but not right now.
Also, I believe I was referring to URLs *beginning with* http://m.facebook.com/ or https://m.facebook.com/
Can we get QA to verify the suspicion in comment 5? If this was Facebook side and is no longer happening obviously we won't block.
Created attachment 711905 [details] Screenshot of issue I still see this using the latest nightly build: Gecko http://hg.mozilla.org/releases/mozilla-b2g18/rev/71ddeff45ec2 Gaia cff23a80c41b7de223d27c6a6f1f82f95c9c5f6b BuildID 20130208070201 Version 18.0 STR: 1. Fresh flash, import Facebook contacts by selecting Contacts icon in Dock. 2. Briefly see a flash of https screen, then I arrive on the page in the screenshot.
I can reproduce this in the contacts app as well. I cannot reproduce this issue when I open https://m.facebook.com in the Firefox OS browser. Anyone have thoughts on what might differ in the contacts app case?
This issue still reproduces on Unagi build 2013020800201 with Dec 5th Kernel URL bar shows https://m.facebook.com/ URL for a split second, which then changes to an http://m.facebook.com/ URL, which prompts for a username and password. This issue reproduces even when the username and password was already entered once (as it mentions in comment 5).
I checked that this was still happening in a clean v1-train self-built build from earlier today.
We wouldn't block on a sec-moderate issue, but would accept a low risk uplift. Francisco - what's the level of effort here? It appears that we're using https through the browser, but not in contacts.
Reassigning to Jose Manuel, as he implemented the contact import feature, sure he can answer better than me. Thanks!
This is a duplicate of 835983 ... i'll add more comments there as I have also been looking into this and talking to Facebook people.