Security/Features/HighlightCleartextPasswords: Difference between revisions

Security/Features/HighlightCleartextPasswords (view source)

Revision as of 22:22, 17 April 2012

102 bytes added , 17 April 2012

no edit summary

Tanvi

canmove, Confirmed users

285

edits

@@ Line 12: / Line 12: @@
 * If an https page has a form submit target that call is javascript, how do we determine whether the data is transmitted over http or https?  The browser will not know until the submit button is hit and the password is already being sent.  At that point, it is too late to highlight the password field in red.  How can we analyze the javascript to determine that all eventual targets would be over https?  Or should we just prompt a warning in these cases?  Where would the warning go?  We would have a high false positive rate.  Should we ignore this case?
-|Feature overview=Highlight passwords and other sensitive data that is not transmitted over ssl.  We will focus on type=password.
+|Feature overview=Highlight passwords that are not transmitted over ssl.  We will focus on type=password.  Other sensitive information will be covered in https://wiki.mozilla.org/Security/Features/Identify_which_bits_are_unencrypted
 |Feature users and use cases=# A user is asked to login on an http page.  The login form submits to an http destination.  Users password is sent in cleartext.
 #* '''Outline the password and username field in red.'''
@@ Line 26: / Line 26: @@
 #* '''Do nothing'''
 #* Open Issue - how do we tackle this scenario?
 |Feature requirements=When type=password, outline the password box in red.  Also add a note to the user that occurs onfocus so they know why the form is outlined in red (perhaps utilizing Constraint Validation)
 |Feature non-goals=This item is only for type=password.  Other sensitive data is captured in this feature page: