lastpass thinks browserid form is insecure

[benadida]

it's not clear why

[seanmonstar]

closing this. if it's still a problem, please reopen.

[David263]

In view of the fact that the same error message ("LastPass detected a login form that is insecure.") can appear for pages that do not contain forms at all (https://forums.lastpass.com/viewtopic.php?t=79504), this is probably purely a LastPass bug.

[jaredhirsch]

and it seems like opening a related issue resolved the HTTP 422 errors I was seeing when trying to comment.

Closing the other bug, copying comments in here, reopening here. cc @jmswisher

[jaredhirsch]

@jmswisher was having problems commenting on this bug earlier (and oddly I was, too), anyway, here's what she heard back from the LastPass team:

jms My comment is: 11:25
jms There is finally response from LastPass on that thread: 11:25
jms > A login form is considered insecure if its method is GET or its action starts with mailto:. 11:25
jms > Please note that if the method is omitted, it defaults to GET. 11:25
jms Whether or not this is a correct assessment by LastPass, it will be perceived as Persona's problem. I get this message at least 3 times every time I log in with Persona. If I were not a Mozillian, this would seriously deter me from logging in anywhere with Persona.

If it's just a matter of adding the action attribute to our form, this seems like a super easy fix. Reopening, will try to quickly resolve.

[jaredhirsch]

@jmswisher I've added method="post" to the forms in the dialog, but I still can't get LastPass to work. Want to give it a shot? https://lastpass.personatest.org

[jaredhirsch]

@jmswisher To give a bit more context--I don't use LastPass and it seems, from looking at their forums, that it's a bit complex to use with multi-page forms (where the username field, password field, and submit button aren't on the same html page). Maybe you've got some experience here and can get it working or tell me how to get an error message for further debugging?

[jmswisher]

On that test site, I do not get the message from LastPass that the login form is insecure. On other Persona sites, this message comes up as soon as the Persona popup does.

On the other hand, I also don't get past the first Persona screen. Is the test site supposed to be fully functional? If I enter my email address and click Next, nothing happens for a while, and then I get:

Error
Please close this window and try again.
Action: Checking Address Info
Now: Thu, 19 Sep 2013 05:20:34 GMT
{ "code": "timeoutError", "msg": "Provisioning timed out." }

[jaredhirsch]

@jmswisher that's odd, the site works for me. Maybe try a different email address, or try again?

[jmswisher]

Worked with a different email address. Trying to use my mozilla.com address probably complicated things.

[callahad]

Hi! To help us better focus, I'm "closing" all issues that have been open for more than six months. These have been tagged "cleanup-2014" so that we can go back and review them in the future.

For more information, check out this thread: http://thread.gmane.org/gmane.comp.mozilla.identity.devel/7394

If you believe this bug is still a major issue for you, please comment, submit a pull request, or discuss it on our mailing list: https://lists.mozilla.org/listinfo/dev-identity

Sorry for GitHub notification spam!