In 2017, Firefox Will Be Calling Out Password Fields On HTTP Pages.
Browsers do not like HTTP, and they are finally going to tell you about it. Earlier this year, Chrome announced that it would be warning users when a website presents a password field over HTTP.
Now Firefox has announced that they will also be warning about submitting passwords over HTTP. Mozilla developer Ryan Feeley posted about the upcoming behavior on his Twitter account.
The warning, which will premiere in Firefox 51 (planned release data in January 2017), will appear on any HTTP page that contains a password field. It does not matter if the page posts to (submits, for the non-developers) an HTTPS page, or if the password field is “hidden” (like arstechnica.com).
The warning will be released in two stages. In Firefox 51, the next version to be released, the warning will only appear in the address bar. The presence of a password field will cause a padlock with a red strike through it, along with a written explanation if you click the lock (as seen in the below screenshot taken in Firefox Nightly).
In Firefox 52, the warning will become more visible. Named the ‘contextual warning’, it appears directly below the password field when a user . Displaying the warning directly near the field will be important for visibility. A warning in the address bar is a good first step, but less likely to be noticed, especially since it may not have been initially displayed on the website if the login form is on a standalone page.
Eventually, Firefox hopes to also warn when credit card fields are present. But detecting those effectively is still in the works.
For both Chrome and Firefox, this change is a small step towards a larger plan to deprecate HTTP. Both browsers will increase the scope and severity of warnings against HTTP, which will be released in stages as HTTP use increases.
Firefox is also planning on disabling the autofill feature on HTTP pages. This is so the browser won’t be facilitating insecure transmissions of user credentials (this behavior is currently in Firefox Nightly)
Firefox 51 is planned for a January 2017 release. This will be around the same time that Chrome 56 ships with similar behavior.
For developers looking to learn more about Firefox’s treatment of password fields over HTTP, including the security risks of sending passwords insecurely and debugging information, see Mozilla’s dedicated doc. You have a little less than 2 months!