Closed Bug 88771 Opened 24 years ago Closed 13 years ago

URL bar menu (autocomplete) should hide URL passwords

Categories

(SeaMonkey :: Location Bar, defect)

Product:
SeaMonkey
Component:
Location Bar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 146289

People

(Reporter: netdragon, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: helpwanted, privacy) 

Basically if you do this:

http://name:password@www.yahoo.com

or 

ftp://name:password@ftp.rpi.edu

it would be nice to put * - stars in place of the password in the url dropdown. 
It would be especially good for universities where many people share the same 
computer.
I would like to see the password removed immediately from all entered URLs
(although that would require the password to be saved somewhere else).
Status: UNCONFIRMED → NEW
Ever confirmed: true
I think this should be a preference because I personally like the way it works now.
What is our current behavior WRT passwords in URLs? Should we be stripping them
out immediately after the initial load and not saving them in history, etc? Or
should we just star them out as Brian suggests?
Assignee: mstoltz → neeti
Component: Security: General → Networking
QA Contact: ckritzer → benc
I wouldn't like it if the user:password was removed from the url line when
placed in it. Currently, the user:password is left on the line. It would also be
confusing WRT to the dropdown box if it was stripped. You wouldn't know if it
was already set to login. Although, it might be bad security to even put it in
the dropdown box. Maybe the password should be totally left out when placed in
the dropdown box.

For instance:

http://blah:blah@www.yahoo.com/
 
1) would turn into for the url box

http://blah@www.yahoo.com

or 

http://blah:****@www.yahoo.com

2) and would turn into for the dropdown box

http://blah@www.yahoo.com

I believe doing the first option would be the best for #1. It would keep
consistency.

As for in the history, it leaves the password intact too. 6/25 build.


<offtopic>
Btw: I can't get either FTP or http authentication to work using this method. In
fact, FTP doesn't work at all. Are these known issues?</offtopic>

 

to alec.
Assignee: neeti → alecf
->URL Bar, still me.
Component: Networking → URL Bar
reassign url bar bugs to new owner..
Assignee: alecf → blakeross
QA Contact: benc → claudius
I haven't worked through all the RFCs, but the first convention is illegal anyhow.
Joe was dying to have these bugs. Who am I to say no?
Assignee: blakeross → hewitt
Status: NEW → ASSIGNED
Priority: -- → P4
Target Milestone: --- → Future
Should not be set to Future IMO. It's a critical security issue.
This is not enhancement, this is really security bug. Brian, could you set any
other target?
Severity: enhancement → normal
Keywords: privacy
*** Bug 138463 has been marked as a duplicate of this bug. ***
Adding the mozilla1.0 keyword and changing the milestone to 1.0 to see if this
gets any support from drivers.
Keywords: helpwanted, mozilla1.0
Target Milestone: Future → mozilla1.0
Brian: You can't change Target Milestone, it's Joe Hewitt's target. Setting back
-> Future.
(Joe: If I'm wrong, correct me)
Target Milestone: mozilla1.0 → Future
*** Bug 157354 has been marked as a duplicate of this bug. ***
I think that it should not save the passwords in history or in the url bar.

It is insecure for them to be saved like that.
Sorry for the spam...
Changing CC to my new email addy..
If I'm not wrong, the patch for bug 130327 fixes this bug as well.
Blocks: 232560
QA Contact: claudius → benc
Summary: Block user:password combinations prefacing domain in url drop down → URL bar menu (autocomplete) should hide URL passwords
Blocks: 233340
Depends on: 157354
*** Bug 250337 has been marked as a duplicate of this bug. ***
I read and read and read but didn't find any solution for my problem which I
posted in bug number 279296.

Can someone please tell me how to teach Firefox 1.0 NOT to remove the username
and password from the URL?
*** Bug 288731 has been marked as a duplicate of this bug. ***
*** Bug 288449 has been marked as a duplicate of this bug. ***
I don't like this behaviour at all. Seems like a big security risk to me. 

Requesting blocking 1.1.
Flags: blocking-aviary1.1?
Flags: blocking-aviary1.1? → blocking-aviary1.1-
Product: Core → SeaMonkey
Assignee: hewitt → nobody
Status: ASSIGNED → NEW
Priority: P4 → --
QA Contact: benc → location-bar
Target Milestone: Future → ---
Forward dupping to Bug 146289 since there is a patch there.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.