On 3/26/20 8:53 AM, Dave Page wrote:
> Some, maybe all of the major browsers no longer display the security
> realm on login prompts, which was previously used to inform the user of
> the anti-spam username and password used to protect the mailbox
> archives.
I think it's mainly broken in Chrome, though I just checked and this now
extends to Safari. It works fine in Firefox.
> This means that the only way to get it now is either to go
> find it in the source code for the website, or look at the response
> headers in the browsers developer tools.
>
> The attached patch adds a note to the page instead.
Syntax-wise please switch the "<i>" to "<em>". Should we go down this
patch, we'd also want to place that message on any page where one can
download an archive.
I do wonder if by placing the text on the site like that, we make it a
bit easier to defeat the original purpose of the prompt. Some other ideas:
1. We have a JavaScript snippet that executes when the page loads to
render the text in place. Not fool proof, but it's around the same level
as the current solution (though this would likely expose the credentials
in the JavaScript source).
2. We render the username/password using images. Similarly, not
foolproof, but requires a nontrivial effort.
And yes, it's fairly easy to get the credentials now and script it (at
least if you use Firefox, or browse our git repos), but I figure we
could make it a slight burden.
Jonathan