MozillaZine

Browser.trim user and password

From MozillaZine Knowledge Base

(Difference between revisions)
Revision as of 23:50, 26 November 2005
Unarmed (Talk | contribs)
(Separate dom.disable_window_open_feature.* articles would be more valuable.)
<-- Previous diff
Revision as of 13:52, 13 December 2005
Asqueella (Talk | contribs)
(replace Location Bar with a link to category)
Next diff -->
Line 6: Line 6:
[https://bugzilla.mozilla.org/show_bug.cgi?id=22183 Bug 22183], which deals with the XUL spoofing issue, was a security-sensitive bug until mid-2004. Once the bug was public (and perhaps spurred by a [http://secunia.com/advisories/12188/ Secunia advisory] and [http://it.slashdot.org/article.pl?sid=04/07/31/0037210&tid=154&tid=128&tid=172 Slashdot article]), a good deal of discussion ocurred on how best to approach the problem. [https://bugzilla.mozilla.org/show_bug.cgi?id=22183 Bug 22183], which deals with the XUL spoofing issue, was a security-sensitive bug until mid-2004. Once the bug was public (and perhaps spurred by a [http://secunia.com/advisories/12188/ Secunia advisory] and [http://it.slashdot.org/article.pl?sid=04/07/31/0037210&tid=154&tid=128&tid=172 Slashdot article]), a good deal of discussion ocurred on how best to approach the problem.
-One suggested solution was to require the [[Location Bar]] [[dom.disable_window_open_feature.location|always be present on popup windows]]. A step beyond that was to prevent the HTTP Basic Auth username and password from being displayed there, to prevent obfuscating the originating server. Ben Goodger implemented this latter step in a patch and included this preference to disable the behavior.+One suggested solution was to require the [[:Category:Location Bar|Location Bar]] [[dom.disable_window_open_feature.location|always be present on popup windows]]. A step beyond that was to prevent the HTTP Basic Auth username and password from being displayed there, to prevent obfuscating the originating server. Ben Goodger implemented this latter step in a patch and included this preference to disable the behavior.
A different patch was eventually applied that did not use this preference. However, the default value for the preference ''was'' checked in, resulting in a defunct about:config entry. A different patch was eventually applied that did not use this preference. However, the default value for the preference ''was'' checked in, resulting in a defunct about:config entry.
Line 15: Line 15:
==Previous effects== ==Previous effects==
===True=== ===True===
-Don&rsquo;t display the HTTP username and password in the read-only [[Location Bar]] for popup windows. (Default)+Don&rsquo;t display the HTTP username and password in the read-only [[:Category:Location Bar|Location Bar]] for popup windows. (Default)
===False=== ===False===
Display the original URI in the Location Bar as normal. Display the original URI in the Location Bar as normal.

Revision as of 13:52, 13 December 2005

Contents

Background

One of the hazards of allowing Mozilla browsers to render remote XUL is that it becomes exceedingly easy for third parties to spoof parts of the browser UI. Steps have been made to make it easier for users to tell the difference between local and remote XUL, and this preference is an artifact of one attempt.

Bug 22183, which deals with the XUL spoofing issue, was a security-sensitive bug until mid-2004. Once the bug was public (and perhaps spurred by a Secunia advisory and Slashdot article), a good deal of discussion ocurred on how best to approach the problem.

One suggested solution was to require the Location Bar always be present on popup windows. A step beyond that was to prevent the HTTP Basic Auth username and password from being displayed there, to prevent obfuscating the originating server. Ben Goodger implemented this latter step in a patch and included this preference to disable the behavior.

A different patch was eventually applied that did not use this preference. However, the default value for the preference was checked in, resulting in a defunct about:config entry.

Caveats

  • As mentioned above, this preference has no effect in any officially released Mozilla product.

Previous effects

True

Don’t display the HTTP username and password in the read-only Location Bar for popup windows. (Default)

False

Display the original URI in the Location Bar as normal.

First checked in

2004-09-06 by Ben Goodger

Has an effect in

  • No products are affected by this preference

Related bugs

Related preferences

External links