Re: Basic Authentication issue in 2.46
Paul in Houston, TX wrote: Is it possible to disable the 'Upgrade-Insecure-Requests' header in SeaMonkey? Any references to Insecure in about:config? I found these four, tried toggling the first, but no luck... network.websocket.allowInsecureFromHTTPS security.tls.insecure_fallback_hosts security.warn_submit_insecure services.sync.prefs.sync.security.warn_submit_insecure -- Gerry Hickman (London UK) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Basic Authentication issue in 2.46
Gerry Hickman wrote: I have a SiteCom router with an embedded web server. For many years I was able to log in from SeaMonkey by typing http://10.0.0.1/ and then the user name and password. This still works in older versions of SM and FF, but not in SM 2.46 I believe the issue is related to a new HTTP header being sent by SM 2.46 Upgrade-Insecure-Requests: 1 I set up a raw HTTP test on a linux VM (without using a browser) and tested both with and without this header. Request with header : Authentication FAILS Request without header : Authentication WORKS It's quite strange, as I don't see how the router can even know about this header as it's too old. I also noticed something even more odd, if I change the header to something like BlahBlahBalh: 1 the authentication also fails, but if I use BlahBlahBalh: one everything starts working Is it possible to disable the 'Upgrade-Insecure-Requests' header in SeaMonkey? I found this same behavior with my Linksys/Cisco WRT120N home router that I bought in 2010. Since SeaMonkey is based pretty much on Firefox code, I checked it there with the same result. So I decided to file a bug report on Firefox because any fix there would/should migrate to the SeaMonkey code. See https://bugzilla.mozilla.org/show_bug.cgi?id=1330795 The Comment story started 4 months ago and has recently concluded that my router is the bad boy. It has been at end-of-life status according to Linksys/Cisco for about 6 years. The only workaround I have is, as you have found, to use the older version of SM, or another browser such as Google Chrome, MS Edge or Pale Moon - that apparently do not (yet) send the Upgrade-Insecure-Header in the request. This header mechanism is legitimate W3C: https://w3c.github.io/webappsec-upgrade-insecure-requests/ I looks like we got to learn to live with it. How old is your SiteCom router? Have you looked into available firmware upgrades for it? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Re: Basic Authentication issue in 2.46
Gerry Hickman wrote: I have a SiteCom router with an embedded web server. For many years I was able to log in from SeaMonkey by typing http://10.0.0.1/ and then the user name and password. This still works in older versions of SM and FF, but not in SM 2.46 I believe the issue is related to a new HTTP header being sent by SM 2.46 Upgrade-Insecure-Requests: 1 I set up a raw HTTP test on a linux VM (without using a browser) and tested both with and without this header. Request with header : Authentication FAILS Request without header : Authentication WORKS It's quite strange, as I don't see how the router can even know about this header as it's too old. I also noticed something even more odd, if I change the header to something like BlahBlahBalh: 1 the authentication also fails, but if I use BlahBlahBalh: one everything starts working Is it possible to disable the 'Upgrade-Insecure-Requests' header in SeaMonkey? Any references to Insecure in about:config? ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
Basic Authentication issue in 2.46
I have a SiteCom router with an embedded web server. For many years I was able to log in from SeaMonkey by typing http://10.0.0.1/ and then the user name and password. This still works in older versions of SM and FF, but not in SM 2.46 I believe the issue is related to a new HTTP header being sent by SM 2.46 Upgrade-Insecure-Requests: 1 I set up a raw HTTP test on a linux VM (without using a browser) and tested both with and without this header. Request with header : Authentication FAILS Request without header : Authentication WORKS It's quite strange, as I don't see how the router can even know about this header as it's too old. I also noticed something even more odd, if I change the header to something like BlahBlahBalh: 1 the authentication also fails, but if I use BlahBlahBalh: one everything starts working Is it possible to disable the 'Upgrade-Insecure-Requests' header in SeaMonkey? -- Gerry Hickman (London UK) ___ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
