info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
85 views
Skip to first unread message
Dragana Damjanovic
Dec 5, 2017, 9:26:04 AM12/5/17
to dev-platform
Hi all,
We have implemented this for a log time, but the pref was turned off.
I intend to switch on the pref for this in bug 1423146.
After the pref is switched a http-authentication dialog prompt will not be
shown if it is triggered by an image resource from a cross-origin.
Chrome already was this switch on.
dragana
We have implemented this for a log time, but the pref was turned off.
I intend to switch on the pref for this in bug 1423146.
After the pref is switched a http-authentication dialog prompt will not be
shown if it is triggered by an image resource from a cross-origin.
Chrome already was this switch on.
dragana
Xidorn Quan
Dec 5, 2017, 4:30:01 PM12/5/17
to dev-pl...@lists.mozilla.org
On Wed, Dec 6, 2017, at 01:25 AM, Dragana Damjanovic wrote:
> Hi all,
>
> We have implemented this for a log time, but the pref was turned off.
> I intend to switch on the pref for this in bug 1423146.
> After the pref is switched a http-authentication dialog prompt will not
> be
> shown if it is triggered by an image resource from a cross-origin.
Would this affect authentication from proxy? For example, if the
> Hi all,
>
> We have implemented this for a log time, but the pref was turned off.
> I intend to switch on the pref for this in bug 1423146.
> After the pref is switched a http-authentication dialog prompt will not
> be
> shown if it is triggered by an image resource from a cross-origin.
cross-origin image is on a domain which PAC decides to use proxy for,
and the proxy requires authentication, would the dialog prompt for it be
suppressed as well? If so, it sounds a bit unfortunate.
- Xidorn
Dragana Damjanovic
Dec 6, 2017, 5:00:34 AM12/6/17
to Xidorn Quan, dev-platform
Currently it would be blocked. I think we should change that. I will file a
bug (I will also leave the security team to have a final word).
dragana
> - Xidorn
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
Daniel Veditz
Dec 6, 2017, 11:53:35 AM12/6/17
to Xidorn Quan, dev-pl...@lists.mozilla.org
On Tue, Dec 5, 2017 at 1:29 PM, Xidorn Quan <m...@upsuper.org> wrote:
> Would this affect authentication from proxy? For example, if the
> cross-origin image is on a domain which PAC decides to use proxy for,
> and the proxy requires authentication, would the dialog prompt for it be
> suppressed as well? If so, it sounds a bit unfortunate.
>
Note that we're blocking the auth _prompt_, not auth itself. If your first
> Would this affect authentication from proxy? For example, if the
> cross-origin image is on a domain which PAC decides to use proxy for,
> and the proxy requires authentication, would the dialog prompt for it be
> suppressed as well? If so, it sounds a bit unfortunate.
>
connection with that proxy is on an <img> tag in some other site then yes,
that will be blocked. But if you've auth'd with the proxy already we will
respond normally to the authentication headers.
Work-around: right-click on the broken image and choose "View Image" or
equivalent, then go back to the original page and it will load.
-Dan Veditz
Dragana Damjanovic
Dec 6, 2017, 12:13:37 PM12/6/17
to Daniel Veditz, Xidorn Quan, dev-pl...@lists.mozilla.org
Bug 1423522 should fix this.
dragana
dragana
Daniel Veditz
Dec 6, 2017, 12:52:13 PM12/6/17
to Dragana Damjanovic, Xidorn Quan, dev-pl...@lists.mozilla.org
On Wed, Dec 6, 2017 at 9:13 AM, Dragana Damjanovic <ddamj...@mozilla.com>
wrote:
> Bug 1423522 should fix this.
>
That doesn't fix it, that reenables the phishing risk. There's no reason
the phisher's server can't pretend to be a proxy if that's what it takes to
get a spoofy auth prompt to show up on a discussion board that allows
images in their comments.
-Dan Veditz
wrote:
> Bug 1423522 should fix this.
>
the phisher's server can't pretend to be a proxy if that's what it takes to
get a spoofy auth prompt to show up on a discussion board that allows
images in their comments.
-Dan Veditz
0 new messages