946
edits
Firefox/Projects/AccountManager: Difference between revisions
Firefox/Projects/AccountManager (view source)
Revision as of 23:26, 8 September 2010
, 8 September 2010→TODO
(→TODO) |
|||
| Line 69: | Line 69: | ||
** migration (set account realm for existing saved logins) [~1 day] | ** migration (set account realm for existing saved logins) [~1 day] | ||
** also on password manager end (when saving new password) [~1 day (dolske?)] | ** also on password manager end (when saving new password) [~1 day (dolske?)] | ||
;Security fixes | |||
* shouldn't support http form auth transparently without more warning | |||
* explicitly only allow http/https realm uri (and not ftp, etc) | |||
* only allow https realms from https requests | |||
* login csrf: amcd enforces where it can be used on which sites | |||
* login csrf: link header URI needs to be restricted to the site | |||
* make sure Link header URI and host-meta URI aren't conflicting if header is missing ? | |||
* STS support - should Just Work, but test that requests get upgraded correctly | |||
* ensure that SSL cert errors are handled appropriately | |||
= Requirements = | = Requirements = | ||