MozillaWiki

Security/Features/HighlightCleartextPasswords: Difference between revisions

Page Discussion

Security/Features/HighlightCleartextPasswords (view source)

Revision as of 22:52, 26 April 2012

87 bytes added ,  26 April 2012
no edit summary
mNo edit summary
No edit summary
Line 16: Line 16:
** Placeholder text is typically grey.  Can it be another color?
** Placeholder text is typically grey.  Can it be another color?
** Check if ssl version exists and if it does, offer a redirect.
** Check if ssl version exists and if it does, offer a redirect.
** Outline in a specific color.  Red is already used for form validation.
** Outline in a specific color.  Red is already used for form validation.  Maybe use another color with a constraint validation custom message.


* Integration with Password Manager.  If a page has a highlighted password field, should passwords not automatically be populated by Password Manager?  If we did this, and a user wanted the password autofilled anyway, how would they do that?  What would the UX look like?
* Integration with Password Manager.  If a page has a highlighted password field, should passwords not automatically be populated by Password Manager?  If we did this, and a user wanted the password autofilled anyway, how would they do that?  What would the UX look like?
** It would go through the multi-user experience (ex: when there are two usernmae/password pairs stored for a site, the password isn't filled in until the user selects the username)


* For mixed content pages, how do we differentiate between script content and display content.  Is there already a defined variable with this information (or will there be after https://wiki.mozilla.org/Security/Features/Mixed_Content_Blocker and https://bugzilla.mozilla.org/show_bug.cgi?id=62178 are complete)?
* For mixed content pages, how do we differentiate between script content and display content.  Is there already a defined variable with this information (or will there be after https://wiki.mozilla.org/Security/Features/Mixed_Content_Blocker and https://bugzilla.mozilla.org/show_bug.cgi?id=62178 are complete)?


* If an https page has a form submit target that call is javascript, how do we determine whether the data is transmitted over http or https?  The browser will not know until the submit button is hit and the password is already being sent.  At that point, it is too late to highlight the password field in red.  How can we analyze the javascript to determine that all eventual targets would be over https?  Or should we just prompt a warning in these cases?  Where would the warning go?  We would have a high false positive rate.  Should we ignore this case?
* If an https page has a form submit target that call is javascript, how do we determine whether the data is transmitted over http or https?  The browser will not know until the submit button is hit and the password is already being sent.  At that point, it is too late to highlight the password field in red.  How can we analyze the javascript to determine that all eventual targets would be over https?  Or should we just prompt a warning in these cases?  Where would the warning go?  We would have a high false positive rate.  Should we ignore this case?
** This case may already be handled with a Security Warning alert box.  See people.mozilla.com/~tvyas/https_post_http.png and people.mozilla.com/~tvyas/https_post_http_with_js.png
** This case is already be handled with a Security Warning alert box.  See people.mozilla.com/~tvyas/https_post_http.png and people.mozilla.com/~tvyas/https_post_http_with_js.png
** Is there way to disable this security warning?  Not currently: https://bugzilla.mozilla.org/show_bug.cgi?id=436200
** Is there way to disable this security warning?  Not currently: https://bugzilla.mozilla.org/show_bug.cgi?id=436200
** Do you still get the warning if you are on a mixed content page?
** Do you still get the warning if you are on a mixed content page?
Line 49: Line 50:
Phase 2: Use case 4 & 5 - Deal with mixed content.
Phase 2: Use case 4 & 5 - Deal with mixed content.


Phase 3: Integration with password manager (?).  See open issues.
|Feature ux design=Multiple options hereSee Open Issues - "What do we mean by Highlight."
|Feature ux design=Outline password field in redAdd text boxes with more input leveraging HTML 5 Constraint Validation. Possibly use a placeholder for the password field like "insecure".
|Feature implementation plan=https://bugzilla.mozilla.org/show_bug.cgi?id=748193
|Feature implementation plan=https://bugzilla.mozilla.org/show_bug.cgi?id=748193
}}
}}
Tanvi
canmove, Confirmed users
285

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/424840"