[pjc50]

Wow, yes, having looked at it it's really that simple. All the exploit is doing is triggering a 403 authentication popup. There's even a comment on that bug with the exact scam in it - from two years ago!

In-browser treatment of HTTP auth is just shockingly bad. But Firefox seems to be somewhere you get rewarded for introducing new features rather than fixing bugs.

[Wowfunhappy]

> In-browser treatment of HTTP auth is just shockingly bad.

My biggest annoyance is that since the login modal blocks the rest of the UI, I can't use my password manager!

(At least, I can't use Bitwarden, but I can't imagine how any other browser-plugin-based password manager would get around this.)

[s_kilk]

Funnily enough, in old versions of Firefox (before they deprecated the old plugin system), password managers like Lastpass were able to alter the http-auth pop-up so as to add their functionality to it.

At the time I thought that was cool, and was sad when it went away with the new plugin architecture, but looking back it does indicate quite how bad the situation was with that old plugin format.

[vwuon]

It's not 403, it is 401.

>But Firefox seems to be somewhere you get rewarded for introducing new features rather than fixing bugs.

Something else they are copying from Google!