On 2016-04-15 7:47 AM, Tantek Çelik wrote:
What steps can we take in this direction WITHOUT breaking web compat?
E.g. since one of the issues raised is that *every* time a user
enters/submits a password over HTTP (not secure), it opens them to
being sniffed etc., thus it's good to discourage the frequency.
Some STRAW PROPOSALS that I expect others here (and UX folks) to
easily improve on:
1. Warning (perhaps similar to the invalid red glow) on password
inputs in forms with HTTP "action"
We are making progress towards this and Aislinn Grigas from UX worked on
a design for something like this:
https://bugzilla.mozilla.org/attachment.cgi?id=8678150
We already started developer-specific warnings in the web console and in
the address bar of Nightly + Developer Edition:
https://hacks.mozilla.org/2016/01/login-forms-over-https-please/
There are some dependencies to fix before doing user-facing warnings
which we're currently working on. You can follow along in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1217162
2. Warning (similarly) on HTTP-auth password dialogs
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1185145 which I
haven't seen a design for yet but should be less risky to implement than
for <input>. It is in the Firefox privacy/security team backlog.
Meta bug related to dealing with insecure login forms:
https://bugzilla.mozilla.org/show_bug.cgi?id=1217142
Thanks,
Matthew N.
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
