Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

insecure redirect without warning

  • 6 ŋuɖoɖowo
  • 1 masɔmasɔ sia le esi
  • 3 views
  • Nuɖoɖo mlɔetɔ bardoul

more options

I dicovered that when I enter an https url in my browser and the page redirects me to an http url, it just works. May I expect firefox to give me a warning?

I dicovered that when I enter an https url in my browser and the page redirects me to an http url, it just works. May I expect firefox to give me a warning?

Ŋuɖoɖo si wotia

Firefox usually drops a warning panel on login forms on HTTP pages. You can compare:

http://www.jeffersonscher.com/res/logintest.html

If you don't get a warning panel on the username/password fields, please check these preferences:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste insec and pause while the list is filtered

(3) If the security.insecure_field_warning.contextual.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true

(4) If the security.insecure_password.ui.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true

Xle ŋuɖoɖo sia le goya me 👍 0

All Replies (6)

more options

bardoul said

I dicovered that when I enter an https url in my browser and the page redirects me to an http url, it just works. May I expect firefox to give me a warning?

Would you do this please :

Type in the address bar about:config and press Enter (promise to be careful, if asked)

Type in the search bar accessibility.block

Look for the preference accessibility.blockautorefresh

and set its value to true

Then close and restart Firefox.

You should get these warnings now .....

Also see : http://kb.mozillazine.org/Accessibility.blockautorefresh

more options

Hi McCoy,

I've adjusted that setting but no warning. Still I believe with default settings a browser should warn me by default if I'm redirected to an insecure page.

I've looked at the kb, but the redirect I have is an http 302, not a refresh described there.


[edit typo]

bardoul trɔe

more options

Hi bardoul, Firefox only gives you control over the redirect if the site tries to downgrade a POST request, which is how form data is submitted. If the request was a GET (simply retrieve an address), there is no warning other than the lock no longer appearing on the address bar.

Future versions of Firefox may show a slashed lock. However, it is a bit out of your visual focus area when viewing a page.

Should there be more of a warning and, if so, how would it work?

For example:

  • Follow the redirect and drop a noticeable panel from the left end of the address bar (or an add-on toolbar button)
  • Follow the redirect but don't send the cookies (cookies can sometimes be considered sensitive), then ask if the user wants to reload the page with cookies (could cause an endless loop)
  • Pause the redirect and ask for consent to proceed

I don't know whether an add-on could implement the second or third of those. I think it could implement the first one.

jscher2000 - Support Volunteer trɔe

more options

Hi jscher2000

Thanks for the explanation. In my case it's a get request. But the problem with my situation is, that the url to a login page gets downgraded without warning. The post in the login is also http because of the downgrade. I've also reported this issue to the owner of the page. But I was confused my browse didn't protect me.

bardoul trɔe

more options

Ɖɔɖɔɖo si wotia

Firefox usually drops a warning panel on login forms on HTTP pages. You can compare:

http://www.jeffersonscher.com/res/logintest.html

If you don't get a warning panel on the username/password fields, please check these preferences:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste insec and pause while the list is filtered

(3) If the security.insecure_field_warning.contextual.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true

(4) If the security.insecure_password.ui.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true

more options

True, didn't notice them because I don't have login for the page, I just need to make it available to our users.

That warning should be sufficient.