Firefox 52.0 security changes
ehsan.akhgari at gmail.com
Thu Mar 23 02:21:22 UTC 2017
On Wed, Mar 22, 2017 at 9:30 PM, Daniel Veditz <dveditz at mozilla.com> wrote:
> I thought about that, but he seemed pretty certain the site never had a
> secure (https:) page so why would it use "secure" cookies? An insecure
> http: site couldn't use a "secure" cookie as an auth token because it would
> never be reflected back to itself. Bug 976073 would prevent new
> insecure-secure cookies from being set or modified but would not "log you
> out" by deleting existing ones.
Yeah, on the second reading of the original post, I think you're right here!
> -Dan Veditz
> On Wed, Mar 22, 2017 at 5:41 PM, Ehsan Akhgari <ehsan.akhgari at gmail.com>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=976073 shipped in 52, as
>> far as I can tell, and that is the kind of change that could be responsible
>> for the kind of symptoms that Dean is describing.
>> On Wed, Mar 22, 2017 at 5:09 PM, Daniel Veditz <dveditz at mozilla.com>
>>> There shouldn't have been anything in 52 that affected your cookies (the
>>> typical way sites keep you logged in). You'd have to ask other users of the
>>> site whether it used to be available over https:// (we don't know, we
>>> don't even know what site you're talking about). The only thing we did was
>>> a UI change to highlight the fact that passwords were being sent over an
>>> insecure connection.
>>> -Dan Veditz
>>> firefox-dev mailing list
>>> firefox-dev at mozilla.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the firefox-dev