[Bug 69326] New: Documentation for AuthName should note that nowadays, browsers no longer display the "realm"

bugzilla Mon, 16 Sep 2024 09:52:30 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=69326


            Bug ID: 69326
           Summary: Documentation for AuthName should note that nowadays,
                    browsers no longer display the "realm"
           Product: Apache httpd-2
           Version: 2.4.62
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authn_core
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ---

It seems that these days, browsers no longer show the "realm" string specified
by AuthName in the password dialog as this string is not trusthworthy:

See:

https://stackoverflow.com/questions/69303610/why-dont-modern-web-browsers-display-the-realm-value-for-http-authentication

"The reason is that this could be abused for phishing attacks, by putting some
misleading message into the realm. The login dialog for http authentication is
part of the trusted browser UI, and giving the server the opportunity to modify
that UI - even by just displaying text - is a security risk."

This fact should be noted in the documentation for

https://httpd.apache.org/docs/2.4/mod/mod_authn_core.html#authname

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 69326] New: Documentation for AuthName should note that nowadays, browsers no longer display the "realm"

Reply via email to