Update: This feature is now also enabled in Firefox Beta, starting with Firefox Beta 50.
Pretty much everyone who uses the web has used a password to log into something. And pretty much everyone who has used a password has put that password at risk by entering it into an insecure form.
In Firefox 46 Developer Edition, we display a prominent warning to developers about this risk. When a page with a password field is not delivered securely, Firefox displays a lock with a red strikethrough in the address bar:
If you’re submitting your login form over HTTPS, that’s good, but it’s not enough. You have to deliver the form over HTTPS too. If the login form isn’t delivered over a secure channel, then an attacker can inject JavaScript code to steal the user’s password — every character the user types can be stolen by the attacker.
We’re releasing this feature in Developer Edition, since developers are ultimately the ones that need to make logins more secure on the sites they build. (There are no current plans to show these warnings to users of Beta and general release Firefox.) We’ve been displaying a warning in the Developer Tools Web Console for a long time; adding the struck-through lock icon to the URL bar makes the issue more prominent.
You can read more about this feature here.
About Tanvi Vyas
Security/Privacy Engineer and Tech Lead at Mozilla - @TanviHacks
12 comments