canmove, Confirmed users
285
edits
Security/Features/HighlightCleartextPasswords: Difference between revisions
Security/Features/HighlightCleartextPasswords (view source)
Revision as of 21:49, 23 April 2012
, 23 April 2012no edit summary
No edit summary |
No edit summary |
||
| Line 9: | Line 9: | ||
}} | }} | ||
{{FeaturePageBody | {{FeaturePageBody | ||
|Feature open issues and risks=* For mixed content pages, how do we differentiate between script content and display content. Is there already a defined variable with this information (or will there be after https://wiki.mozilla.org/Security/Features/Mixed_Content_Blocker and https://bugzilla.mozilla.org/show_bug.cgi?id=62178 are complete)? | |Feature open issues and risks=* Integration with Password Manager. If a page has a highlighted password field, should passwords not automatically be populated by Password Manager? If we did this, and a user wanted the password autofilled anyway, how would they do that? What would the UX look like? | ||
* For mixed content pages, how do we differentiate between script content and display content. Is there already a defined variable with this information (or will there be after https://wiki.mozilla.org/Security/Features/Mixed_Content_Blocker and https://bugzilla.mozilla.org/show_bug.cgi?id=62178 are complete)? | |||
* If an https page has a form submit target that call is javascript, how do we determine whether the data is transmitted over http or https? The browser will not know until the submit button is hit and the password is already being sent. At that point, it is too late to highlight the password field in red. How can we analyze the javascript to determine that all eventual targets would be over https? Or should we just prompt a warning in these cases? Where would the warning go? We would have a high false positive rate. Should we ignore this case? | * If an https page has a form submit target that call is javascript, how do we determine whether the data is transmitted over http or https? The browser will not know until the submit button is hit and the password is already being sent. At that point, it is too late to highlight the password field in red. How can we analyze the javascript to determine that all eventual targets would be over https? Or should we just prompt a warning in these cases? Where would the warning go? We would have a high false positive rate. Should we ignore this case? | ||
| Line 35: | Line 37: | ||
Phase 2: Use case 4 & 5 - Deal with mixed content. | Phase 2: Use case 4 & 5 - Deal with mixed content. | ||
Phase 3: Integration with password manager (?). See open issues. | |||
|Feature ux design=Outline username and password field in red. Add text boxes with more input leveraging HTML 5 Constraint Validation. | |Feature ux design=Outline username and password field in red. Add text boxes with more input leveraging HTML 5 Constraint Validation. | ||
}} | }} | ||