Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
On Wed, Dec 6, 2017 at 9:13 AM, Dragana Damjanovicwrote: > Bug 1423522 should fix this. > That doesn't fix it, that reenables the phishing risk. There's no reason the phisher's server can't pretend to be a proxy if that's what it takes to get a spoofy auth prompt to show up on a discussion board that allows images in their comments. -Dan Veditz ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
Bug 1423522 should fix this. dragana On Wed, Dec 6, 2017 at 5:53 PM, Daniel Veditzwrote: > On Tue, Dec 5, 2017 at 1:29 PM, Xidorn Quan wrote: > > > Would this affect authentication from proxy? For example, if the > > cross-origin image is on a domain which PAC decides to use proxy for, > > and the proxy requires authentication, would the dialog prompt for it be > > suppressed as well? If so, it sounds a bit unfortunate. > > > > Note that we're blocking the auth _prompt_, not auth itself. If your first > connection with that proxy is on an tag in some other site then yes, > that will be blocked. But if you've auth'd with the proxy already we will > respond normally to the authentication headers. > > Work-around: right-click on the broken image and choose "View Image" or > equivalent, then go back to the original page and it will load. > > -Dan Veditz > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
On Tue, Dec 5, 2017 at 1:29 PM, Xidorn Quanwrote: > Would this affect authentication from proxy? For example, if the > cross-origin image is on a domain which PAC decides to use proxy for, > and the proxy requires authentication, would the dialog prompt for it be > suppressed as well? If so, it sounds a bit unfortunate. > Note that we're blocking the auth _prompt_, not auth itself. If your first connection with that proxy is on an tag in some other site then yes, that will be blocked. But if you've auth'd with the proxy already we will respond normally to the authentication headers. Work-around: right-click on the broken image and choose "View Image" or equivalent, then go back to the original page and it will load. -Dan Veditz ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
On Tue, Dec 5, 2017 at 10:29 PM, Xidorn Quanwrote: > On Wed, Dec 6, 2017, at 01:25 AM, Dragana Damjanovic wrote: > > Hi all, > > > > We have implemented this for a log time, but the pref was turned off. > > I intend to switch on the pref for this in bug 1423146. > > After the pref is switched a http-authentication dialog prompt will not > > be > > shown if it is triggered by an image resource from a cross-origin. > > Would this affect authentication from proxy? For example, if the > cross-origin image is on a domain which PAC decides to use proxy for, > and the proxy requires authentication, would the dialog prompt for it be > suppressed as well? If so, it sounds a bit unfortunate. > > Good point. Currently it would be blocked. I think we should change that. I will file a bug (I will also leave the security team to have a final word). dragana > - Xidorn > ___ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
On Wed, Dec 6, 2017, at 01:25 AM, Dragana Damjanovic wrote: > Hi all, > > We have implemented this for a log time, but the pref was turned off. > I intend to switch on the pref for this in bug 1423146. > After the pref is switched a http-authentication dialog prompt will not > be > shown if it is triggered by an image resource from a cross-origin. Would this affect authentication from proxy? For example, if the cross-origin image is on a domain which PAC decides to use proxy for, and the proxy requires authentication, would the dialog prompt for it be suppressed as well? If so, it sounds a bit unfortunate. - Xidorn ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Intent to ship: Do not allow a http-auth prompt requested by an image resource loaded from a cross-origin
Hi all, We have implemented this for a log time, but the pref was turned off. I intend to switch on the pref for this in bug 1423146. After the pref is switched a http-authentication dialog prompt will not be shown if it is triggered by an image resource from a cross-origin. Chrome already was this switch on. dragana ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform