What about HTTP passwords on HTTPS sites and otherwise (HTTPS passwords on HTTP sites)?
This is FF 49's feature.
http://www.ghacks.net/2016/08/12/firefo ... tps-sites/
HTTP passwords on HTTPS sites and otherwise
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
Moonchild
- Pale Moon guru
- Posts: 35650
- Joined: 2011-08-28, 17:27
- Location: Motala, SE
Re: HTTP passwords on HTTPS sites and otherwise
Autofilling a password on a downgraded scheme (https->http) is never going to be good. Hijacked sites could instantly steal auto-filled passwords in that case so that's a major security risk.
Otherwise this looks like something minor. In fact, I'd say that not filling the password when the scheme is upgraded might be a good thing, since it calls attention to the fact that something has changed and that one should, in fact, change the password for your own security (http passwords used previously might have been observed). Of course that is also ultimately something the website owners should pay attention to.
Either way, simply re-adding the password as a one-time inconvenience will work to solve this for a user.
I'd prefer to err on the side of caution and not cross the http/https boundary for something as sensitive as passwords.
Otherwise this looks like something minor. In fact, I'd say that not filling the password when the scheme is upgraded might be a good thing, since it calls attention to the fact that something has changed and that one should, in fact, change the password for your own security (http passwords used previously might have been observed). Of course that is also ultimately something the website owners should pay attention to.
Either way, simply re-adding the password as a one-time inconvenience will work to solve this for a user.
I'd prefer to err on the side of caution and not cross the http/https boundary for something as sensitive as passwords.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite