Closed
Bug 986609
Opened 10 years ago
Closed 9 years ago
Option to make http and https for stored passwords equal
Categories
(Toolkit :: Password Manager, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 667233
People
(Reporter: sworddragon2, Unassigned)
Details
(Keywords: sec-want)
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release) Build ID: 20140317144912 Steps to reproduce: Normally I'm storing the password after login on a site the first time. But sometimes the site is then forwarding at some point from http to https and keeping this protocol on a logout. Actual results: If I'm now trying to login the password is not autofilled as the address does not exactly match anymore because of https. Expected results: Instead of storing the password 2 times (one for http and another for https) maybe this can be enhanced. I don't know if there is a practical use to make a difference between http and https: - If there is no one Firefox could treat http and https for the password manager as the same source. - If there is one maybe Firefox could add an option in about:config to force this behavior.
Reporter | ||
Updated•10 years ago
|
Severity: normal → enhancement
Comment 1•9 years ago
|
||
I agree strongly, but only in one direction. Passwords saved for http should also work on https. Not doing this severely punishes sites that switch to https. Ideally we'd change the password to https-only at some point (when the form is submitted? when the site enables HSTS, a la bug 1119555?). Passwords saved for https should NOT also work on http. That would enable really dangerous MITM attacks.
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•