Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Recent firefox upgrade gieves me an authorization error on my framed site.

  • 10 replies
  • 5 have this problem
  • 1 view
  • Last reply by rweil

more options

Recent Firefox upgrade (40.0.2) gives me an authorization error on my framed site.

I have a site http://calendar.shaw-weil.com/ which is nothing but a frame. See below

When I click a date number I now get Authorization Required You need a userid and password for accessing this calendar

I use to, and if I go to http://128.2.204.57:5555/default and click a date i get a web authorization pop-up saying A username and password are being requested by http://128.2.204.57:5555. The site says: "iCal Login"

What changed? and is there an option to disable it?

Thanks in advance for your time Roy


<title>Mary and Roys Calendar</title> <meta name="keywords" content=""> <meta name="description" content=""> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <frameset rows="100%"> <frame src="http://128.2.204.57:5555/default" title="Mary and Roys Calendar" frameborder="0" noresize="noresize"/> <noframes>

Mary and Roys Calendar

http://calendar.shaw-weil.com/

</noframes> </frameset>

Recent Firefox upgrade (40.0.2) gives me an authorization error on my framed site. I have a site http://calendar.shaw-weil.com/ which is nothing but a frame. See below When I click a date number I now get Authorization Required You need a userid and password for accessing this calendar I use to, and if I go to http://128.2.204.57:5555/default and click a date i get a web authorization pop-up saying A username and password are being requested by http://128.2.204.57:5555. The site says: "iCal Login" What changed? and is there an option to disable it? Thanks in advance for your time Roy <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"> <html> <head> <title>Mary and Roys Calendar</title> <meta name="keywords" content="" /> <meta name="description" content="" /> <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> </head> <frameset rows="100%"> <frame src="http://128.2.204.57:5555/default" title="Mary and Roys Calendar" frameborder="0" noresize="noresize"/> <noframes> <body> <h1>Mary and Roys Calendar</h1> <p><a href="http://128.2.204.57:5555/default">http://calendar.shaw-weil.com/</a></p> </body> </noframes> </frameset> </html>

Chosen solution

There is a way to undo this change in your Firefox if you like. As long as you are suspicious of this prompt appearing on other sites than your own.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste auth and pause while the list is filtered

(3) Double-click the network.auth.allow-subresource-auth preference and edit the 1 to a 2 and click OK

  • 1 shows the login dialog only for framed pages, images, etc., hosted on the same site
  • 2 allows the login dialog for framed pages, images, etc., hosted on any site

When I test the change, it worked. I still think it's bad that it's not a secure connection.

Read this answer in context 👍 2

All Replies (10)

more options

I'm not seeing the problem on Windows 7. Here's what I suggest:

(1) In case this is a problem with cached files, clear Firefox's cache. See: How to clear the Firefox cache. If you have a large hard drive, this might take a couple minutes to complete.

Then reload the site (Ctrl+r). Any improvement?

(2) In case this is a problem with a corrupted cookie, clear cookies for both the "outer" site and the "inner site". The easiest way is to load each in turn and use the Page Info dialog to get to the cookie list. Either:

  • right-click and choose View Page Info > Security > "View Cookies"
  • (menu bar) Tools > Page Info > Security > "View Cookies"
  • click the padlock or globe icon in the address bar > More Information > "View Cookies"

In the dialog that opens, you can remove the site's cookies individually.

Then repeat with the second site, and reload. Success?

If that doesn't help, we can check issues such as:

  • are cookies blocked?
  • is the referring site information blocked?
  • is this a sign from the universe that you should take a little time off?
more options

Cleared cache, cleared cookies both sites. cleared saved passwords.

No Joy

The same started happening on a Windows 7 machines as well. i.e it just started happening, and the only known upgrade was to Firefox

Further note. If I go to the 128... site and log in, then I can go to the Calendar site and get in with no further authorization.

so the answers to sub questions 1 and 2 is nothing is blocked. the answer to sub question 3 is dont I wish

Roy

more options

Hi Roy, does it make any difference if you use a private window? Assuming you are in a regular session now, the private window should look like a different user to the site. To load that, you can right-click the link in your original question and use Open Link in New Private Window, or use Ctrl+Shift+p to launch the window and then go to the calendar as you usually do.

more options

I'm sorry, I did not test correctly before, I clicked an appointment link, not a date link. When I click a date link, I get the same message.

more options

When I click a date link, it calls an edit command, so naturally that is subject to authentication. So we return to the question is why it worked in earlier versions of Firefox and not in Firefox 40?

I can understand why Firefox does not pop up the two line login dialog for a framed page, to avoid deception by embedded frames designed to capture your credentials for a different site. Was that a change in Firefox 40, or is the change that iCal isn't remembering that you are logged in?

By the way, I would not enter your password in the dialog from http://128.2.204.57:5555/default because it is not a secure connection. Someone with access to your request anywhere along the network between you and iCal could learn your password that way.

Hopefully there's another way to make this work.

more options

Ical appears to be remembering that I log in, because

If I go to the 128... site and log in, then I can go back to the Calendar... site and do the edits with no further authorization.

New Private Window is also No Joy.

Is there a change log someplace for Firefox?

Also unfortunately ical is an executable acting as a web server which is why the :5555. So no help there looking at the internals.

Roy

more options

rweil said

Is there a change log someplace for Firefox?

Sort of. On the Release Notes page you'll see a link to a complete list of changes in the release. This queries the bug tracking system for the hundreds of different issues addressed: https://www.mozilla.org/firefox/40.0.2/releasenotes/

more options

Looks like it is a change to stop showing the login dialog for framed pages:

"Users can be fooled into typing their credentials into HTTP authentication dialogs from other (potentially attacker-controlled) web sites if an attacker can inject content protected by HTTP auth into a legitimate site. Sub-document resources like images, scripts, iframes, etc. should not be able to cause this dialog, possibly in any case, but certainly in cases where the resource is in a different origin."

Source: Bug #647010 – Only present HTTP authentication dialogs if it is the top-level document initiating the auth.

A lot of angry/frustrated comments at the end, but really the solution would be to file a new bug proposing a better user interface for the authentication request.

more options

Chosen Solution

There is a way to undo this change in your Firefox if you like. As long as you are suspicious of this prompt appearing on other sites than your own.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful.

(2) In the search box above the list, type or paste auth and pause while the list is filtered

(3) Double-click the network.auth.allow-subresource-auth preference and edit the 1 to a 2 and click OK

  • 1 shows the login dialog only for framed pages, images, etc., hosted on the same site
  • 2 allows the login dialog for framed pages, images, etc., hosted on any site

When I test the change, it worked. I still think it's bad that it's not a secure connection.

more options

Thanks for the prompt replies. doing the about:config ... workaround worked for me.

I have submitted a request to ICal for a fix. both to this problem and to https: