The bugzilla tickets linked from that article frustrates me. They should autoplay Yakety Sax music as they dodge around fixing the real @#$@ing bug:
Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
This problem immediately goes away and you don't need to play rate limit wackamole games or do stupid things like have a dialog box that asks if you want to see another modal dialog box.
As someone who interacts with HTTP basic auth frequently Firefox's behavior here is maddening. Fix the bad UI.
> Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
So, `alert()` was fixed about 10 years ago in Firefox.
I'm not sure why the "Authentication Required" dialog wasn't, but I'm willing to bet it's something that was blocked indirectly by the old extension infrastructure (the so-called XUL extensions): until Firefox ~57, huge chunks of the architecture of Firefox were impossible to touch without breaking XUL extensions at a fundamental level, and this included making many things non-blocking.
If I'm right, it's the kind of thing that can now be fixed.
The answer is probably something like "that dialog came from necko, because we didn't put in a good way to propagate blocking prompts back up from the network layer in a way that identifies which tab wants the request".
If extensions were the problem an interface to actually let the extensions work would have been created. As it is you still can't implement a password manager natively.
Wow, yes, having looked at it it's really that simple. All the exploit is doing is triggering a 403 authentication popup. There's even a comment on that bug with the exact scam in it - from two years ago!
In-browser treatment of HTTP auth is just shockingly bad. But Firefox seems to be somewhere you get rewarded for introducing new features rather than fixing bugs.
Funnily enough, in old versions of Firefox (before they deprecated the old plugin system), password managers like Lastpass were able to alter the http-auth pop-up so as to add their functionality to it.
At the time I thought that was cool, and was sad when it went away with the new plugin architecture, but looking back it does indicate quite how bad the situation was with that old plugin format.
This behavior causes another problem as well. I am unable to interact with my password manager plugin when a basic auth dialog is active. I need to remember to manually look up the password and have it in the clipboard before navigating to a site that uses basic auth or else open an additional Firefox window.
Honestly, I'm not sure why browsers don't create a pseudo page setup for things like HTTP auth, JavaScript prompts, etc. Instead of an ugly blocking modal, generate a basic login form/page with nicer styling that doesn't take over the entire window or tab. Like they do for a new tab or what not.
Just copy Chrome and confine all modal dialog boxes such as HTTP basic auth and Javascript alert() to the individual browser tab. No individual tab should every be allowed to pop a modal that prevents interaction with any other tab, any other browser window.
This problem immediately goes away and you don't need to play rate limit wackamole games or do stupid things like have a dialog box that asks if you want to see another modal dialog box.
As someone who interacts with HTTP basic auth frequently Firefox's behavior here is maddening. Fix the bad UI.
Edit: Oh, and here is a 13 year old bug about the real issue: https://bugzilla.mozilla.org/show_bug.cgi?id=377496