http://user:pass@site/ link asks ‘Is "user" the site you want to visit?’

I originally reported this upstream as
https://bugzilla.mozilla.org/show_bug.cgi?id=449303
but it appears to be Fedora-specific.

There are screenshots attached to the upstream bug showing the behaviour I get.

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1)
Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1

If you go to a URL with a basic auth username and password embedded in it, the
confirmation dialog asks if "mybank" is the site I want to visit, where
"mybank" is the username. If I do want to go to my bank I will click yes, and
be taken to the phishing site.
I believe the dialog should say 'is "www.mozilla.com" the site you want to
visit?' instead, since that's the site the URL goes to.

Reproducible: Always

Steps to Reproduce:
1. click on http://mybank:<email address hidden>/en-US/
2. click yes, thinking you're going to your bank account
Actual Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.

Is "mybank" the site you want to visit?

Expected Results:
dialog says:
You are about to log in to the site "www.mozilla.com" with the user name
"mybank", but the web site does not require authentication. This may be an
attempt to trick you.

Is "www.mozilla.com" the site you want to visit?

The attachment I added to the upstream bug is https://bugzilla.mozilla.org/attachment.cgi?id=332813

I can't reproduce this bug using:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008091618 Firefox/3.0.2
(302build6)
or
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3pre) Gecko/2008091704 GranParadiso/3.0.3pre

I see the correct "Is members.tripod.com the site you want to visit" prompt.

Created attachment 339321
Screenshot from FF3.01

wfm with FF3.01 on win32

marking wfm, please report this to Ubuntu

There's something weirder going on here, because bug 449303 reported the same thing, also on a linux x86_64 platform.

I am bringing this back to UNCONFIRMED - gavin suspects that there's weirdness in the x86_64 compiler they are using, which breaks the way we're doing our string substitutions. That probably means the problem is upstream with the distros, but I'd like to keep the bug open until we can find an answer.

Anders, how would you feel about reporting this to the Ubuntu folks with reference to our suspicion, to see what they think?

I can reproduce this on x86-64 Ubuntu 8.04, with whatever 3.0.x they're shipping. I'd get the user-agent, but I'm running on remote X from home, so it's kind of painful.

Seeing the behavior described in comment 0 on Gentoo, Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.1) Gecko/2008081113 Gentoo Firefox/3.0.1.

Seeing expected behavior on trunk, Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b1pre) Gecko/20080915020339 Minefield/3.1b1pre.

Could be related to firefox-on-xulrunner, or some other weirdness.

No problem. Reported to <https://bugs.launchpad.net/firefox/+bug/271933>.

I also see this on Ubuntu intrepid amd64, but upstream says it isn’t their fault:

https://bugs.launchpad.net/fedora/+source/firefox/+bug/271933
https://bugzilla.mozilla.org/show_bug.cgi?id=455935

Reproduced in a local debug build from cvs (without a separate xulrunner):
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.2pre) Gecko/2008081513 Minefield/3.0.2pre

(I'm the reporter of bug 449303 - seems I'm not the only one seeing this now)

Could it be locale related? My system uses LANG=en_GB

*** Bug 449303 has been marked as a duplicate of this bug. ***

Can anyone point me to the source related to this bug? Preferably a URL to an online repo view. The firefox codebase is too large for me to start trawling randomly hoping to find it, but I'd like to take a look.

Could this be due to relying on the order of evaluation of function arguments, which is not defined, and could differ depending on platform and optimisation level?

Still present in firefox-3.0.4-1.fc10.x86_64

(and in ubuntu's 3.0.3 apparently)

http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/src/nsHttpChannel.cpp is the relevant code, search for the keyword "SuperfluousAuth".

If you download an upstream binary from http://www.mozilla.com/en-US/ are you able to reproduce this? If yes, then it is conclusively an upstream issue.

works correctly with upstream build
Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5

still wrong with latest fedora build
Mozilla/5.0 (X11; U; Linux x86_64; en-GB; rv:1.9.0.5) Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5

This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 9 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 10 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

The problem is no longer present with firefox-3.5.5-1.fc11.x86_64

Thank you for letting us know.

Why was this moved to internationalization?

my bet is that the stringbundle code is being bungled :).

https://bugzilla.redhat.com/show_bug.cgi?id=462392#c9 says:
| The problem is no longer present with firefox-3.5.5-1.fc11.x86_64

The codepath here was presumably:nsHttpChannelAuthProvider::CheckForSuperfluousAuth -> nsHttpChannelAuthProvider::ConfirmAuth -> nsStringBundle::FormatStringFromName or its older equivalent.

It sounds like this can probably be WORKSFORME now, though.

WFM with the current FF33 in Ubuntu:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0