Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin

2017-12-06 Thread Daniel Veditz 
On Wed, Dec 6, 2017 at 9:13 AM, Dragana Damjanovic 
wrote:

> Bug 1423522 should fix this.
>

​That doesn't fix it, that reenables the phishing risk. There's no reason
the phisher's server can't pretend to be a proxy if that's what it takes to
get a spoofy auth prompt to show up on a discussion board that allows
images in their comments.

-Dan Veditz
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin

2017-12-06 Thread Dragana Damjanovic 
Bug 1423522 should fix this.

dragana

On Wed, Dec 6, 2017 at 5:53 PM, Daniel Veditz  wrote:

> On Tue, Dec 5, 2017 at 1:29 PM, Xidorn Quan  wrote:
>
> > Would this affect authentication from proxy? For example, if the
> > cross-origin image is on a domain which PAC decides to use proxy for,
> > and the proxy requires authentication, would the dialog prompt for it be
> > suppressed as well? If so, it sounds a bit unfortunate.
> >
>
> Note that we're blocking the auth _prompt_, not auth itself. If your first
> connection with that proxy is on an  tag in some other site then yes,
> that will be blocked. But if you've auth'd with the proxy already we will
> respond normally to the authentication headers.
>
> Work-around: right-click on the broken image and choose "View Image" or
> equivalent, then go back to the original page and it will load.
>
> -Dan Veditz
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin

2017-12-06 Thread Daniel Veditz 
On Tue, Dec 5, 2017 at 1:29 PM, Xidorn Quan  wrote:

> Would this affect authentication from proxy? For example, if the
> cross-origin image is on a domain which PAC decides to use proxy for,
> and the proxy requires authentication, would the dialog prompt for it be
> suppressed as well? If so, it sounds a bit unfortunate.
>

Note that we're blocking the auth _prompt_, not auth itself. If your first
connection with that proxy is on an  tag in some other site then yes,
that will be blocked. But if you've auth'd with the proxy already we will
respond normally to the authentication headers.

Work-around: right-click on the broken image and choose "View Image" or
equivalent, then go back to the original page and it will load.

-Dan Veditz
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin

2017-12-06 Thread Dragana Damjanovic 
On Tue, Dec 5, 2017 at 10:29 PM, Xidorn Quan  wrote:

> On Wed, Dec 6, 2017, at 01:25 AM, Dragana Damjanovic wrote:
> > Hi all,
> >
> > We have implemented this for a log time, but the pref was turned off.
> > I intend to switch on the pref for this in bug 1423146.
> > After the pref is switched a http-authentication dialog prompt will not
> > be
> > shown if it is triggered by an image resource from a cross-origin.
>
> Would this affect authentication from proxy? For example, if the
> cross-origin image is on a domain which PAC decides to use proxy for,
> and the proxy requires authentication, would the dialog prompt for it be
> suppressed as well? If so, it sounds a bit unfortunate.
>
>
Good point.
Currently it would be blocked. I think we should change that. I will file a
bug (I will also leave the security team to have a final word).

dragana



> - Xidorn
> ___
> dev-platform mailing list
> dev-platform@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
>
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin

2017-12-05 Thread Xidorn Quan 
On Wed, Dec 6, 2017, at 01:25 AM, Dragana Damjanovic wrote:
> Hi all,
> 
> We have implemented this for a log time, but the pref was turned off.
> I intend to switch on the pref for this in bug 1423146.
> After the pref is switched a http-authentication dialog prompt will not
> be
> shown if it is triggered by an image resource from a cross-origin.

Would this affect authentication from proxy? For example, if the
cross-origin image is on a domain which PAC decides to use proxy for,
and the proxy requires authentication, would the dialog prompt for it be
suppressed as well? If so, it sounds a bit unfortunate.

- Xidorn
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin

2017-12-05 Thread Dragana Damjanovic 
Hi all,

We have implemented this for a log time, but the pref was turned off.
I intend to switch on the pref for this in bug 1423146.
After the pref is switched a http-authentication dialog prompt will not be
shown if it is triggered by an image resource from a cross-origin.

Chrome already was this switch on.


dragana
___
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform