1423146 - Do not allow an auth prompt requested by an image resource loaded from cross-origin (original) (raw)
Closed Bug 1423146 Opened 7 years ago Closed 7 years ago
Do not allow an auth prompt requested by an image resource loaded from cross-origin
Categories
(Core :: Networking: HTTP, enhancement, P3)
Tracking
()
| Webcompat Priority | | | ---------------------- | | | Performance Impact | | | Webcompat Score | | | a11y-review | | | Accessibility Severity | |
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | fixed |
| Tracking | Status | | | ------------------- | ------ | | | relnote-firefox | | | | thunderbird_esr115 | | | | thunderbird_esr128 | | | | firefox-esr115 | | | | firefox-esr128 | | | | firefox59 | | | | firefox131 | | | | firefox132 | | | | firefox133 | | |
People
(Reporter: dragana, Assigned: dragana)
Reset Assignee to default
References
Details
(Keywords: dev-doc-complete, site-compat, Whiteboard: [necko-triaged])
Bug Flags:
| | behind-pref | | | | | ------------------ | | | | | | firefox-backlog | | | | | | sec-bounty | | | | | | sec-bounty-hof | | | | | | in-qa-testsuite | | | | | | in-testsuite | | | | | | qe-verify | | | |
Crash Data
Security
(public)
This bug is publicly visible.
User Story
Attachments
(1 file)
We only need to change pref.
Chrome already have this as default(bug 647010 comment 87) so I do not expect that we will break something.
Do we need an intent-to-ship for this?
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #4)> Do we need an intent-to-ship for this?I will write one, although Chrome already implement this.
Priority: -- → P3
Whiteboard: [necko-triaged]
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Flags: needinfo?(dd.mozilla)
Flags: needinfo?(dd.mozilla)
Hello! This bug is just the same as my Bug 647010, which I informed Mozilla about in March 2011. This is vulnerability in all browsers, which support Basic/Digest Authentication, as I wrote in my entry. So a lot of web browsers are vulnerable, not only Firefox. I called this attack as Onsite phishing (or Inline phishing). It can be used (including by phishers) for stealing of logins and passwords of users of web sites.
You need to log in before you can comment on or make changes to this bug.
Attachment
General
Created:
Updated:
Size: