There have been a number of HTTP Auth bugs recently. Creating this meta bug to help layout what an HTTP Auth Fix Up project may include.

See also the existing whiteboard tag… https://bugzil.la/sw:%22[passwords:http-auth]%22

* Security bugs * HTTP Auth should be tab modal instead of window modal to prevent annoyance (evil traps). * HTTP Auth should be restricted for subresources as much as possible to prevent phishing. * HTTP Auth should perhaps be disabled on HTTP pages. * The HTTP Auth dialog needs to be modernized: ** modern UI ** if a subresource is requesting auth, it needs to be very clear that it is not the top level page ** if HTTP Auth is allowed on an HTTP page, we should show the lock with the strikethrough

(In reply to Tanvi Vyas[:tanvi] from comment #2) > * HTTP Auth should be restricted for subresources as much as possible to > prevent phishing. bug 647010

Not so much a blocker on bug 1410548, but I want to track this so I can verify any change in behavior.

> * HTTP Auth should perhaps be disabled on HTTP pages. In many dev pages and localhost dev pages, it's a rarity to use HTTPS because the credentials are usually of low value and because it would require either to use and whitelist a self-signed certificate or pay more for the certificate to include the development domains. Even worse, the dev may not have the name registered in a DNS and be accessible by ip only. Given that, it is OK to have HTTP Auth disabled for HTTP page by default but, if done so, I strongly believe that there should be an option for devs to enable HTTP Auth on non-secure connections

?????