Closed erayd closed 6 years ago
@maximbaz Any chance of a code review? I'd rather this was merged sooner than later to get that hole closed off ASAP.
Credentials are now discarded immediately as soon as the tab has loaded
So now we intentionally make it so that browserpass will never fill credentials on https://www.httpwatch.com/httpgallery/authentication/ after clicking on "Display image", even if this page was opened via browserpass. Is that right?
So now we intentionally make it so that browserpass will never fill credentials on https://www.httpwatch.com/httpgallery/authentication/ after clicking on "Display image", even if this page was opened via browserpass. Is that right?
Yes.
Going forward, I'd like to address this use-case by intercepting the auth request and allowing the user to choose a credential, but I need to think about how to do this in a sane manner. In the meantime, simply disallowing the scenario feels much safer.
This PR fixes #230:
Once again, I apologise for #230 - that is my fault, and my oversight. I'm usually more careful than that, and I sincerely regret that I allowed this one to slip through.