-
Michael Catanzaro authored
This prevents an active MITM attacker from enumerating all your saved passwords. The attacker will now only be able to access passwords saved on http:// sites. That's by design, though; users are now warned when focusing insecure password forms and should think twice before saving such passwords. Unfortunately this does introduce a migration issue, in that no previously-saved passwords will be available on https:// websites anymore, and all previously-saved passwords will still be enumerable by attackers. I'm not sure how to handle migration. We might be able to handle it nicely by using the history service to guess whether a password should be migrated from http:// to https://, but that is not a simple project. https://bugzilla.gnome.org/show_bug.cgi?id=752738
fae52498