[tor-bugs] #14716 [Tor Browser]: HTTP Basic Authentication prompt only displayed once

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Apr 17 19:44:52 UTC 2015 

#14716: HTTP Basic Authentication prompt only displayed once
--------------------------+------------------------------------------------
     Reporter:  mcs       |      Owner:  mcs
         Type:  defect    |     Status:  new
     Priority:  normal    |  Milestone:
    Component:  Tor       |    Version:
  Browser                 |   Keywords:  tbb-usability-stoppoint-navigation
   Resolution:            |  Parent ID:
Actual Points:            |
       Points:            |
--------------------------+------------------------------------------------

Comment (by mcs):

 Replying to [comment:3 cypherpunks]:
 > Maybe also of note: choosing a New Identity from the onion menu doesn't
 resolve the problem, so this might be fingerprinting the browser instance
 as well.

 I am not 100% sure, but I think the reason failures continue even after
 New Identity is because the login manager code ends up in a bad state and
 stays that way until you restart the browser.

 The very first failure occurs inside
 toolkit/components/passwordmgr/nsLoginManager.js in the _storage getter.
 The root cause is deep inside NSS due to the lack of a key DB (due to
 #12998).  Kathy and I have experimented with two possible fixes:
 1. Add null checks for _storage in several places inside
 nsLoginManager.js.
 2. Put a hack inside NSC_InitPIN() (inside
 security/nss/lib/softoken/pkcs11.c) that returns CKR_OK instead of an
 error if there is no key DB and the password/pin has length zero. This
 fixes the problem because the fallback code uses a zero-length password to
 initialize an in-memory security DB.  And I think (but am not certain)
 that NSC_InitPIN() is trying to set a new password, which is an
 uninteresting thing to do in this case.

 The first approach is fairly straightforward but involves more changes.
 The second approach is more of an unknown but may possibly fix other
 "fallout" from #12998 (probably we would need to hold off until our next
 test release).

 Feedback welcome.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/14716#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list