Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Cross-subdomain login not supported by Chrome's Password Manager #278

Open
TheFrozenFire opened this Issue · 2 comments

3 participants

@TheFrozenFire

This issue is only tangentially related to Reddit, but it was a change in Reddit that caused me to notice the issue, and it really is a result of Reddit implementing their login system in a way which skirts the edges of what's considered acceptable security practices.

I've opened a bug for Chromium which addresses the issue on their end, found at http://code.google.com/p/chromium/issues/detail?id=107009. This might give a better understanding of why the issue is occurring.

The issue is that Chrom(e/ium)'s password manager is blocked when the origin of the dialog_form (what domain it's located on) is different from the host of the form's action. The purpose of this, in theory, is to block the password manager being exploited into providing stored credentials to other domains, in certain circumstances.

The way Reddit's login system seems to be implemented is that the form is located on http://www.reddit.com, and the action of the form is https://ssl.reddit.com. Because of the way cookies work (see RFC 6265), this is bad design. In theory, cookies set by ssl.reddit.com should not be available to www.reddit.com. Relatedly, form submissions from www.reddit.com should are not necessarily in the "protected zone" of ssl.reddit.com, so the password manager is forced to not provide login credentials to that form.

The solution to this would be to keep form actions for logins on the same subdomain as the forms themselves. Otherwise, browsers which implement password manager security like Chrom(e/ium) will not work.

@chromakode

Justin, thanks for your detailed writeup. We'll look into this.

@Reyncor

One year latter... this is not an annoyance. It's a security issue, particularly with the lack of OAuth. I'm new to reddit, to be honest, this is a huge hit on your respectability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.