Browserpass should be able to execute javascript to trigger HTTP basic auth

[equaeghe]

General information

• Operating system + version: Gentoo Linux, mostly stable packages
• Browser + version: Firefox 60.2.2 ESR
• Information about the host app: version 2.0.22, installed via Gentoo package manager

• Information about the browser extension: version 2.0.22, installed via built-in addons page

Exact steps to reproduce the problem

1. Go to page with ‘login‘ button that calls login() javascript code
2. Clicking this button opens a HTTP basic auth dialog

What should happen?

Browserpass should be able to submit the credentials, e.g., by executing javascript code given in the password file (in my case, login()). For example, in a field called execute.

What happened instead?

Browserpass cannot deal with such authentication setups.

I know such pages are ‘stupid’, but this is the page of an appliance that I cannot change. I suspect there are other instances of this kind.

[maximbaz]

Hi there 🙂 I haven't heard of an attribute called execute, I think it's not in the spec. But in general, executing random javascript code on a page is a bad idea, our goal is not to make browserpass detect as many buttons as possible, but to have as few false positives as possible, i.e. avoid clicking a button if we aren't sure it really is a login button. In some cases, when a markup is really bad, you have to live with manually submitting the form.

Is this page public, can I look at the html markup myself? If not, could you save the page and attach it to the issue?

[equaeghe]

I haven't heard of an attribute called execute, I think it's not in the spec.

I meant a field in the password file. The name ‘execute’ was just a suggestion.

But in general, executing random javascript code on a page is a bad idea

I understand, although it wouldn't be random javascript, but code explicitly put there by the user.

to have as few false positives as possible, i.e. avoid clicking a button if we aren't sure it really is a login button

That is reasonable, but with my suggestion, the ‘button clicking’ would be explicitly requested by the user in the password file.

Is this page public, can I look at the html markup myself?

No, but I copy-pasted the code for the button that triggers the basic auth dialog:

• HTML (subframe):

• JS:

  function login(){ if( getCookie("NEVERSHOW") == 1 ){ parent.location = "index_ad.htm"; } else { parent.location = "setupfrm.htm"; } }

While doing that, I realized that I should just surf to index_ad.htm to get the basic auth dialog. So I put that in the url field in the password file and then used browsepass to go to that page (as with other sites using basic auth). However, browserpass then does not log me in. It does for other sites, but they require basic auth for the whole (sub)domain.

Perhaps I should update the title of this issue to reflect that it isn't about javascript execution anymore, but now just about basic auth filling for specific pages, not just domains?

[maximbaz]

Ah, I see what you meant about execute now, but it still doesn't feel like a good idea to me.

But since we are on the topic about basic auth, can you explain in more details what exactly happens? So you put full path to index_ad.html in the url field, navigate with browserpass there, but see no error, you are not redirected to any different url, and yet credentials are not filled?

[equaeghe]

Indeed, I just get the basic auth authentication dialog. It does work for other sites using basic auth, but I think the difference is that there the whole domain requires basic auth, whereas here, it is just a specific page. (This does seem strange to me, yes.)

[maximbaz]

I don't think our code has that restriction, it just opens the page specified in url and unless there is a redirect it fills in the credentials. Since it's not a public page, you'd have to debug this yourself. Have a look if you have any errors in console, also see if you can put breakpoints and observe where the code reaches.

Here's when browserpass opens a new url:

https://github.com/browserpass/browserpass/blob/99efdc5e878c69568e7831c8ed1325ea2243dc56/chrome/background.browserify.js#L197

And here's when it tries to submit your credentials:

https://github.com/browserpass/browserpass/blob/99efdc5e878c69568e7831c8ed1325ea2243dc56/chrome/background.browserify.js#L203

/cc @erayd for other debugging ideas

[erayd]

@equaeghe Browserpass will only provide basic auth to the first page that is opened. This is a security consideration.

If your password file contains the exact URL of the page that is requesting authentication, then it should work. It's not related to the domain, although it will prompt you before filling into a domain that doesn't match.

If the page is sitting at the end of a delayed redirect, then browserpass will ignore it, and you'll need to enter credentials manually. As this is an important security concern, that behavior will not change.

[maximbaz]

No follow-up, closing.