insecure redirect without warning
I dicovered that when I enter an https url in my browser and the page redirects me to an http url, it just works. May I expect firefox to give me a warning?
Ŋuɖoɖo si wotia
Firefox usually drops a warning panel on login forms on HTTP pages. You can compare:
http://www.jeffersonscher.com/res/logintest.html
If you don't get a warning panel on the username/password fields, please check these preferences:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste insec and pause while the list is filtered
(3) If the security.insecure_field_warning.contextual.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true
(4) If the security.insecure_password.ui.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true
Xle ŋuɖoɖo sia le goya me 👍 0All Replies (6)
bardoul said
I dicovered that when I enter an https url in my browser and the page redirects me to an http url, it just works. May I expect firefox to give me a warning?
Would you do this please :
Type in the address bar about:config and press Enter (promise to be careful, if asked)
Type in the search bar accessibility.block
Look for the preference accessibility.blockautorefresh
and set its value to true
Then close and restart Firefox.
You should get these warnings now .....
Also see : http://kb.mozillazine.org/Accessibility.blockautorefresh
Hi McCoy,
I've adjusted that setting but no warning. Still I believe with default settings a browser should warn me by default if I'm redirected to an insecure page.
I've looked at the kb, but the redirect I have is an http 302, not a refresh described there.
[edit typo]
bardoul trɔe
Hi bardoul, Firefox only gives you control over the redirect if the site tries to downgrade a POST request, which is how form data is submitted. If the request was a GET (simply retrieve an address), there is no warning other than the lock no longer appearing on the address bar.
Future versions of Firefox may show a slashed lock. However, it is a bit out of your visual focus area when viewing a page.
Should there be more of a warning and, if so, how would it work?
For example:
- Follow the redirect and drop a noticeable panel from the left end of the address bar (or an add-on toolbar button)
- Follow the redirect but don't send the cookies (cookies can sometimes be considered sensitive), then ask if the user wants to reload the page with cookies (could cause an endless loop)
- Pause the redirect and ask for consent to proceed
I don't know whether an add-on could implement the second or third of those. I think it could implement the first one.
jscher2000 - Support Volunteer trɔe
Hi jscher2000
Thanks for the explanation. In my case it's a get request. But the problem with my situation is, that the url to a login page gets downgraded without warning. The post in the login is also http because of the downgrade. I've also reported this issue to the owner of the page. But I was confused my browse didn't protect me.
bardoul trɔe
Ɖɔɖɔɖo si wotia
Firefox usually drops a warning panel on login forms on HTTP pages. You can compare:
http://www.jeffersonscher.com/res/logintest.html
If you don't get a warning panel on the username/password fields, please check these preferences:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
(2) In the search box above the list, type or paste insec and pause while the list is filtered
(3) If the security.insecure_field_warning.contextual.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true
(4) If the security.insecure_password.ui.enabled preference is bolded and "modified" or "user set" to false, double-click it to restore the default value of true
True, didn't notice them because I don't have login for the page, I just need to make it available to our users.
That warning should be sufficient.