Open
Bug 464949
Opened 16 years ago
Updated 1 year ago
Forget About this Site should clear any HTTP-authenticated sessions
Categories
(Toolkit :: Data Sanitization, enhancement, P3)
Toolkit
Data Sanitization
Tracking
()
NEW
Future
People
(Reporter: beltzner, Unassigned)
References
(Depends on 1 open bug)
Details
Attachments
(1 obsolete file)
The "Forget About this Site" function should also clear any HTTP-authenticated sessions, much like "Authenticated Sessions" from Clear Private Data used to do.
Updated•16 years ago
|
Assignee: nobody → sdwilsh
Whiteboard: [needs patch]
Comment 1•16 years ago
|
||
To be clear, it's OK to clear all authenticated sessions, right? We don't have an API to clear just for a given host (and it's subdomains).
Comment 2•16 years ago
|
||
For what it's worth, it's doable to add an API to "Forget about this site", but it would be O(N) for the hosts stored (we'd have to iterate through all authenticated sessions). Clearly, that's not in the 1.9.1 timeframe. I'm guessing for 1.9.1 we want to clear all, and have follow-ups for the rest.
Comment 3•16 years ago
|
||
Attachment #348260 -
Flags: ui-review?(beltzner)
Attachment #348260 -
Flags: review?(gavin.sharp)
Updated•16 years ago
|
Whiteboard: [needs patch] → [has patch][needs review gavin][needs ui-r beltzner]
Comment 4•16 years ago
|
||
Requesting blocking because this is a hole in our privacy APIs that makes things not so private.
Flags: blocking-firefox3.1?
Target Milestone: --- → Firefox 3.1
Comment 5•16 years ago
|
||
(In reply to comment #2)
> For what it's worth, it's doable to add an API to "Forget about this site", but
> it would be O(N) for the hosts stored (we'd have to iterate through all
> authenticated sessions). Clearly, that's not in the 1.9.1 timeframe.
Why clearly? Seems pretty doable to me, and O(N) is hardly a problem. Clearing all logins whenever you clear the history for a given site is rather sucky.
Comment 6•16 years ago
|
||
(In reply to comment #5)
> (In reply to comment #2)
> > For what it's worth, it's doable to add an API to "Forget about this site", but
> > it would be O(N) for the hosts stored (we'd have to iterate through all
> > authenticated sessions). Clearly, that's not in the 1.9.1 timeframe.
> Why clearly? Seems pretty doable to me, and O(N) is hardly a problem. Clearing
> all logins whenever you clear the history for a given site is rather sucky.
Because we are feature frozen at this point, so we shouldn't be making API changes, even if they are additive? It's not like other parts of this API don't do the same thing too.
Comment 7•16 years ago
|
||
Weighing all three options (don't fix this bug, fix this bug with that patch, fix this bug with proper API), the latter seems vastly preferable, and I don't think "feature freeze" should prevent us from considering it. Not sure what you mean by "other parts of this API.
Comment 8•16 years ago
|
||
Is this a necko API that needs fixing here? I can fix as needed.... ;)
Comment 9•16 years ago
|
||
(In reply to comment #8)
> Is this a necko API that needs fixing here? I can fix as needed.... ;)
I mean, I could fix it too - it's not hard to iterate through a hash table. The API in question is nsIHttpAuthCache.
Comment 10•16 years ago
|
||
Yeah. I think we should just change that if we're trying to fix it. That doesn't seem like a big amount of code by any means, and "feature freeze" is more about not adding anything with regression potential that's not fixing an actual bug. If the changes to nsIHttpAuthCache end up with regression potential, then we can worry about them.
Reporter | ||
Comment 11•16 years ago
|
||
Comment on attachment 348260 [details] [diff] [review]
v1.0
Forgetting all authenticated sessions when asking to forget one particular site is going to lead to some strange and confusing behaviour for users, and likely some odd bug reports. I'd recommend we actually fix this correctly.
Attachment #348260 -
Flags: ui-review?(beltzner) → ui-review-
Reporter | ||
Comment 12•16 years ago
|
||
Also, I don't think that this blocks the final release of Firefox 3.1; while comment 4 is true, it's also true that pretty much the only way to reveal that there's still an HTTP-Authenticated session is to revisit the site (or use some advanced sniffing tools). This is a good polish bug for the feature, but in that case we should fix it right.
Flags: wanted-firefox3.1+
Flags: blocking-firefox3.1?
Flags: blocking-firefox3.1-
Updated•16 years ago
|
Attachment #348260 -
Attachment is obsolete: true
Attachment #348260 -
Flags: review?(gavin.sharp)
Updated•16 years ago
|
Whiteboard: [has patch][needs review gavin][needs ui-r beltzner]
Comment 13•16 years ago
|
||
Boris - I'm thinking of adding two api's here. One returns an nsISimpleEnumerator that stores the interfaces (I think I'd need to make a new interface for that too), and another to remove a specific entry. Sound good?
Comment 14•16 years ago
|
||
Seems ok. I guess the things in the enumerator will say what host they're for or whatnot?
Comment 15•16 years ago
|
||
Yeah, I think so. I'll know for sure once I start implementing it.
Updated•16 years ago
|
Target Milestone: Firefox 3.1 → Firefox 3.5
Updated•15 years ago
|
Assignee: sdwilsh → nobody
Target Milestone: Firefox 3.5 → Future
Updated•12 years ago
|
Component: General → Forget About Site
Flags: wanted-firefox3.5+
Flags: blocking-firefox3.5-
Product: Firefox → Toolkit
Comment 16•3 years ago
|
||
Looks like this isn't currently covered by the CLEAR_FORGET_ABOUT_SITE
flags: https://searchfox.org/mozilla-central/rev/70b32246fce5ca1f53af573a21c1939df58cb969/toolkit/components/cleardata/nsIClearDataService.idl#303
Severity: normal → N/A
Type: defect → enhancement
Priority: -- → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•