Firefox 52.0 security changes

Ehsan Akhgari ehsan.akhgari at gmail.com
Thu Mar 23 02:21:22 UTC 2017


On Wed, Mar 22, 2017 at 9:30 PM, Daniel Veditz <dveditz at mozilla.com> wrote:

> I thought about that, but he seemed pretty certain the site never had a
> secure (https:) page so why would it use "secure" cookies? An insecure
> http: site couldn't use a "secure" cookie as an auth token because it would
> never be reflected back to itself.  Bug 976073 would prevent new
> insecure-secure cookies from being set or modified but would not "log you
> out" by deleting existing ones.
>

Yeah, on the second reading of the original post, I think you're right here!


>
> -Dan Veditz
>
> On Wed, Mar 22, 2017 at 5:41 PM, Ehsan Akhgari <ehsan.akhgari at gmail.com>
> wrote:
>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=976073 shipped in 52, as
>> far as I can tell, and that is the kind of change that could be responsible
>> for the kind of symptoms that Dean is describing.
>>
>> On Wed, Mar 22, 2017 at 5:09 PM, Daniel Veditz <dveditz at mozilla.com>
>> wrote:
>>
>>> There shouldn't have been anything in 52 that affected your cookies (the
>>> typical way sites keep you logged in). You'd have to ask other users of the
>>> site whether it used to be available over https:// (we don't know, we
>>> don't even know what site you're talking about). The only thing we did was
>>> a UI change to highlight the fact that passwords were being sent over an
>>> insecure connection.
>>>
>>> -Dan Veditz
>>>
>>> _______________________________________________
>>> firefox-dev mailing list
>>> firefox-dev at mozilla.org
>>> https://mail.mozilla.org/listinfo/firefox-dev
>>>
>>>
>>
>>
>> --
>> Ehsan
>>
>
>


-- 
Ehsan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/firefox-dev/attachments/20170322/f2cf9902/attachment.html>


More information about the firefox-dev mailing list