Security Warning prompt

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
User avatar
RealityRipple
Astronaut
Astronaut
Posts: 647
Joined: 2018-05-17, 02:34
Location: Los Berros Canyon, California
Contact:

Security Warning prompt

Unread post by RealityRipple » 2018-07-14, 02:20

I'm sure everyone has seen this message a number of times, particularly on websites that do a rush job of making their site HTTPS. Its purpose is to warn that HTTP is being used for POST from a HTTPS page, and its a very important job. However, I've noticed that it can also occur under other circumstances. In particular, I use a form with the method set to "GET", the enctype set to "text/plain", and the action set to a cryptocurrency protocol, such as "zcash:". My question is, is it the expected behavior for this prompt to show up regardless of conditions if HTTPS becomes any other protocol, or is it supposed to only get in the way of HTTP (and maybe possibly FTP)? I'm also not sure that a GET request is as dangerous as a POST request in practice, as no good web developer would use a GET request to send private information to begin with. Perhaps some more explicit code could be used to only show the prompt if it's over POST and/or if it's a transition from HTTPS to HTTP (+ FTP?) exclusively? I can see instances where POSTing to other protocols might be better off with the prompt, but chances are that GETting to another protocol is not the kind of event this message was designed to warn about. I guess it comes down to whether you want to prioritize user experience or user safety. In either case, it'd be nice if there was a way to say that certain protocols are either secure or local, and to treat secure and local protocols as though they're on the same grounds as HTTPS, and thus show no prompt.

Locked