Closed Bug 240639 Opened 21 years ago Closed 21 years ago

URL/Password shown in URL after using URL-version of basic HTTP auth.

Categories

(Core :: Networking: HTTP, defect)

Product:
Core
Component:
Networking: HTTP
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
VERIFIED DUPLICATE of bug 157354
Milestone:
mozilla1.8alpha1

People

(Reporter: jason, Assigned: darin.moz)

References

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040212 StarlitCat/0.8 (To GNOMIfy the World) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040212 StarlitCat/0.8 (To GNOMIfy the World) When visiting a website that requires basic HTTP authentication, you can enter the appropriate username/password combination in the URL like so: https://username:password@foo.bar.com/ [ The username and password need to have non-alphanumerics (ie: not safe for inclusion in a URL) escaped (eg. + => %2B) ] When you use that option to access such a site, the browser should cache the username/password information (just as if you had typed it into the popup form) and then delete it from the URL used to access the site. However, Firefox 0.8 does not do that, which leaves the username and password up on the screen for anyone walking by to visually snarf. Reproducible: Always Steps to Reproduce: 1. Log in to a basic HTTP auth. website using a url of the form https://username:password@foo.bar.com/ 2. 3. Actual Results: You are logged in as expected, but the username and password remain in the URL displayed in the location bar. Expected Results: The username and password should be cached as if you had typed them into the popup box when visiting the site with the traditional https://foo.bar.com, and then removed from the URL shown in the location bar *and* from the browser history for that page, and *not* put in the browser cache. I am only marking this as Major because of the security implications of this bug.
Assignee: firefox → darin
Component: General → Networking: HTTP
Product: Firefox → Browser
QA Contact: httpqa
Version: unspecified → Trunk
I agree with this bug. I'll put it on my 1.8 task list, but no promises... I've already taken on too many things for the next milestone.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → mozilla1.8alpha
Maybe a contributor that understands history could work w/ Andreas to get some URL Parser help?
Depends on: 233340
For me this looks like a dupe of bug 157354 "URL bar should not display passwords in URL". Other related bugs: bug 88771 URL bar menu (autocomplete) should hide URL passwords bug 146289 passwords in URLs are saved in URL dropdown bug 130327 Passwords in urls are saved in history bug 186695 FTP/HTTP password printed as part of URL bug 160471 Bookmarks should not save password in URL
I've added those bugs to the dependency list of bug 233340.
*** This bug has been marked as a duplicate of 157354 ***
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
V/dupe.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.