Not url in HTTP Basic Auth

[max13fr]

Hello,

The title of popup for an http auth doesn't contains any url.

For example:
https://auth-demo.aerobatic.io/protected-standard/

On keepass, the window just contains "Authentification requise" (in french version) without any url (therefore, it can't be used for autotype in keepass).

Could you fix that ?

Thanks in advance & congratz for this great extension.

Max

[cloutierjo]

+1

[erichgoldman]

@max13fr I believe you are referring to something like this:

It is not possible to change the title in that pop up through this add-on. The addon changes the <title /> tag to change the window's title. In old XUL add-ons it may have been possible, but the text for that window title comes deep within FireFox and I do not believe there is any way to access it with a restartless add-on.

I think in this case you would have to have multiple matches on "Authentification requise" within KeePass and then select from the correct pattern on the duplicate list. You would use a "custom sequence" and set the "Target Window" as below. If you have multiple that use this basic-auth, then you would do the same and get a pop up window when doing auto-type.

[sergeevabc]

It’s a crucial thing. Workaround is too dirty as there are too many similar windows.
Have you checked how this is implemented within Keepass Helper extension?

[Francewhoa]

Same challenge here. add-url-to-window-title is presently not able to add the URL to HTTP Basic Auth pop up. With large amount of HTTP Basic Auth pop ups it's hard and slow to scroll through a long list to find the correct entry.

Steps to reproduce

1. Go to https://www.httpwatch.com/httpgallery/authentication/#showExample10
2. Click on "DISPLAY IMAGE" button
3. The HTTP Basic Auth pop up window will open. Notice that the URL was not added to the HTTP Basic Auth pop up title. This is the challenge.
   
4. The suggested new feature expected result is a URL would be added to the HTTP Basic Auth pop up title.
   Authentication Required - https://<URL.HERE>
   Instead of Authentication Required

This is to confirm that keepass-helper add-on is able to do add URL to HTTP Basic Auth pop up windows. Maybe some of its open source code could be recycled for add-url-to-window-title?

Any volunteer for a patch? I would be happy to contribute testing and or documentation.

Using:

• add-url-to-window-title 1.03
• Firefox 52.8 at 64 bit
• Debian 8 Jessie

[Francewhoa]

Similar challenge at cloutierjo/titleUrl#1

[Francewhoa]

Workaround
This is a temporary workaround. This MultiPass Disarmed for HTTP basic auth add-on is able to store HTTP Basic Authentication credentials.

Strength

• Allow you to automatically enter the HTTP Basic Auth credentials. Then use add-url-to-window-title add-on and KeePass(X/XC) or equivalent for the remaining form(s).
• Open source
• No spyware

Challenge
It seems to presently have weak storage security. In plain text. I mean a not authorized person with access to your computer would be able to read anything stored using this add on. Such as HTTP Basic Authentication URLs, usernames, and passwords. Related ticket at excitoon/MultiPassDisarmed#2

Suggestion
Use this add-on only for appropriate sites. Which do not contain sensitive information. Or off-line.

[erichgoldman]

@Francewhoa keepass-helper is an XUL extension. XUL extensions allow you to modify the browser chrome. Old style FireFox Restartless and new Chrome style addons cannot modify the chrome.

MultiPass Disarmed seems to be a modern extension. It stores and manages your passwords. In modern Chrome style extensions you can intercept the request before it is being sent. It intercepts the request and then queries the apps internal password database.

I would need to experiment more with this function and the security requirements. My initial thought is that you intercept the request at the onAuthRequired event in the lifecycle, provide an alternate UI that allows you to change the title and use Add URL to Window Title to capture from KeePass, then pass those to the callback. It looks like you can make the callback blocking, but I do not think you can request info from the UI.

For now, I don't see a clear path forward with this technique. Further, this would have to be part of the new version and not the current codebase.

If you use Vivaldi I believe it may be possible to use chrome-hacks to change the basic auth popup, but that may actually still come from the underlying chrome code.

[erichgoldman]

I just did some quick tests using the basic auth for a router - in Chrome it will show the URL in the title before loading the basic auth and would therefore allow for KeePass matching. When I tried a modern version of FireFox, version 60, it does not change the title before the basic auth is presented. I tried FireFox 44 and in that version the title changes to "Connecting".

Perhaps we should open a bug with FireFox to set the title for basic auth to include the url without the need for an extension.