Closed Bug 1592621 Opened 5 years ago Closed 5 years ago

Firefox saves http password in history

Categories

(Toolkit :: Places, defect)

Product:
Toolkit
Component:
Places
Version:
70 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 130327

People

(Reporter: egil, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Navigate to URL with HTTP auth in it. So something like:
https://login:pass@example.com/secured-path/

Can also be reproduced in a form submitted with a script like this:

function submitAuthForm() {
var login = document.getElementById('login').value;
var pass = document.getElementById('pass').value;
var authUrl = location.origin.replace('://', '://' + encodeURIComponent(login) + ':' + encodeURIComponent(pass) + '@') + '/secured-path/';
location.href = authUrl;
}

Actual results:

Firefox saves both the login and password in history.

Expected results:

Firefox MUST NOT saves any HTTP authorisation in history. The URL saved in history should be:
https://example.com/secured-path/

Note that when you visit a path secured with HTTP auth you get a popup. When you type in credentials in that popup the data is also submitted to the server. BUT the data is not saved in history then. I guess "Authorization" header is used in that case.

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Component: Untriaged → Places
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.