Closed Bug 986609 Opened 10 years ago Closed 9 years ago

Option to make http and https for stored passwords equal

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Version:
28 Branch
Platform:
x86_64
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 667233

People

(Reporter: sworddragon2, Unassigned)

Details

(Keywords: sec-want) 

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140317144912

Steps to reproduce:

Normally I'm storing the password after login on a site the first time. But sometimes the site is then forwarding at some point from http to https and keeping this protocol on a logout.


Actual results:

If I'm now trying to login the password is not autofilled as the address does not exactly match anymore because of https.


Expected results:

Instead of storing the password 2 times (one for http and another for https) maybe this can be enhanced. I don't know if there is a practical use to make a difference between http and https:

- If there is no one Firefox could treat http and https for the password manager as the same source.
- If there is one maybe Firefox could add an option in about:config to force this behavior.
Severity: normal → enhancement
I agree strongly, but only in one direction.

Passwords saved for http should also work on https. Not doing this severely punishes sites that switch to https. Ideally we'd change the password to https-only at some point (when the form is submitted? when the site enables HSTS, a la bug 1119555?).

Passwords saved for https should NOT also work on http. That would enable really dangerous MITM attacks.
Component: Untriaged → Password Manager
Keywords: sec-want
Product: Firefox → Toolkit
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.