How to disable the "insecure password" warning in Firefox

Red Squirrel · Oct 15, 2022

My dev server is not HTTPS as I don't want to keep having to deal with certificates for each sub domain etc (I have 1 subdomain per dev project, it's dynamically generated based on folders) and since it's local I just don't bother. However any time I'm entering forms I get the warning that it's not secure. Is there a way to disable that?

I followed this page: https://www.thewindowsclub.com/disable-insecure-password-login-prompt-firefox

But I don't see any option called security.insecure_password.ui.enabled only security.insecure_field_warning but I set it to false and it still does not work. Anything else I can try? Is there perhaps a way to add an IP exception or something? I just want to do the whole 10.x.x.x range.

I've gotten this to work before which is odd, but it just started doing it again a while back.

mxnerd · Oct 15, 2022

try security.insecure_field_warning.contextual.enabled. it's mentioned in the link (and its comments) you provided

Red Squirrel · Oct 15, 2022

Yeah that's already on. (well, off I guess) That's originally how I disabled but but it seems to have stopped working. Wonder if an update changed something.

mxnerd · Oct 15, 2022

I couldn't find security.insecure_password.ui.enabled either. But found a security.insecure_field_warning.ignore_local_ip_address setting.

I don't use Firefox, you have to try yourself.

Red Squirrel · Oct 16, 2022

Yeah I have that one on too, but I think it's only for localhost. Ex: 127.x.x.x.

mxnerd · Oct 16, 2022

I just tried Firefox on local HFS HTTP file web server, no warning at all, didn't change any settings.

==

Seems the setting has been removed 3 years ago.

1567827 - Get rid of security.insecure_password.ui.enabled

RESOLVED (scientistartist) in Firefox - Site Identity. Last updated 2020-03-19.

bugzilla.mozilla.org

Are you using very old version of Firefox?

Red Squirrel · Oct 16, 2022

It should be fairly recent, I just did an OS update today which should have updated Firefox too. I'm not at that computer right now but it's version 100 and something if I recall.

mxnerd · Oct 16, 2022

Or just get a wildcard subdomain certificate

https://www.youtube.com/results?search_query=wildcard+subdomain+certificate

Red Squirrel · Oct 16, 2022

Problem is this is local, there is no way to do the validation. Letsencrypt also does not do wildcard certs, at least I don't think.

mxnerd · Oct 16, 2022

Searched.

Easy Apache localhost development SSL wildcard for all your projects

Since I've been using linkedin instead of writing articles on my blog I am writing this tutorial here as well..

www.linkedin.com

https://stackoverflow.com/questions/20088/is-there-a-way-to-make-firefox-ignore-invalid-ssl-certificates

Red Squirrel · Oct 16, 2022

That's just replacing an error with another, and I don't know if I want to actually disable cert errors, as I want to see if I have errors on my production sites when I visit them by routine, and I don't really want to have to use multiple browsers.

There has got to be a way to just disable the form warning.

mxnerd · Oct 16, 2022

Don't know if you still have other options:

Found this article. TLTR

No More Passwords over HTTP, Please! - Tanvi Vyas

Update: This feature is now also enabled in Firefox Release, starting with Firefox 51. See this post for more details. Firefox Developer Edition 46 warns developers when login credentials are requested over HTTP. Username and password pairs control access to users’ personal data. Websites...

blog.mozilla.org

mxnerd · Oct 16, 2022

So I downloaded the whole Firefox code and checked it out to C:\mozilla-source\mozilla-unified following the instruction here.

Building Firefox On Windows — Firefox Source Docs documentation

firefox-source-docs.mozilla.org

But don't really know which one is the true Firefox repository on the internet.

I used Everything to search strings

Regarding security.insecure_field_warning.ignore_local_ip_address setting

C:\mozilla-source\mozilla-unified\toolkit\components\passwordmgr\InsecurePasswordUtils.jsm

mozilla-central/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm at master · julienw/mozilla-central

clone of mozilla-central using cinnabar. Contribute to julienw/mozilla-central development by creating an account on GitHub.

github.com

javascript file handled insecure password conditions eventually should have called
isLocalIPv4 function in DNS.cpp file located at C:\mozilla-source\mozilla-unified\netwerk\dns

mozilla-central/DNS.cpp at master · julienw/mozilla-central

clone of mozilla-central using cinnabar. Contribute to julienw/mozilla-central development by creating an account on GitHub.

github.com

the code is

C++:

static bool isLocalIPv4(uint32_t networkEndianIP) {
  uint32_t addr32 = ntohl(networkEndianIP);
  return addr32 >> 24 == 0x0A ||    // 10/8 prefix (RFC 1918).
         addr32 >> 20 == 0xAC1 ||   // 172.16/12 prefix (RFC 1918).
         addr32 >> 16 == 0xC0A8 ||  // 192.168/16 prefix (RFC 1918).
         addr32 >> 16 == 0xA9FE;    // 169.254/16 prefix (Link Local).
}

so in theory it should work and shouldn't issue warning because the defaut value is true.

==

Found a site to search Firefox code.

Searchfox

searchfox.org

mxnerd · Oct 16, 2022

InsecurePasswordUtils.jsm - mozsearch

searchfox.org

JavaScript:

 isFormSecure(aForm) {
    let isSafePage = aForm.ownerDocument.defaultView.isSecureContext;

    // Ignore insecure documents with URLs that are local IP addresses.
    // This is done because the vast majority of routers and other devices
    // on the network do not use HTTPS, making this warning show up almost
    // constantly on local connections, which annoys users and hurts our cause.
    if (!isSafePage && this._ignoreLocalIPAddress) {
      let isLocalIP = this._isPrincipalForLocalIPAddress(
        aForm.rootElement.nodePrincipal
      );

      let topIsLocalIP =
        aForm.ownerDocument.defaultView.windowGlobalChild.windowContext
          .topWindowContext.isLocalIP;

      // Only consider the page safe if the top window has a local IP address
      // and, if this is an iframe, the iframe also has a local IP address.
      if (isLocalIP && topIsLocalIP) {
        isSafePage = true;
      }
    }

    let { isFormSubmitSecure, isFormSubmitHTTP } = this._checkFormSecurity(
      aForm
    );

    return isSafePage && (isFormSubmitSecure || !isFormSubmitHTTP);
  },

mxnerd · Oct 17, 2022

OK, so it does not include localhost which translate to 127.0.0.1
You should use a real LAN IP address.

C++:

static bool isLocalIPv4(uint32_t networkEndianIP) {
  uint32_t addr32 = ntohl(networkEndianIP);
  return addr32 >> 24 == 0x0A ||    // 10/8 prefix (RFC 1918).
         addr32 >> 20 == 0xAC1 ||   // 172.16/12 prefix (RFC 1918).
         addr32 >> 16 == 0xC0A8 ||  // 192.168/16 prefix (RFC 1918).
         addr32 >> 16 == 0xA9FE;    // 169.254/16 prefix (Link Local).
}

Red Squirrel · Oct 17, 2022

The dev server is on a 10.x.x.x range, so it's odd it's not working if it should.

Maybe I'll just bite the bullet and look at setting up a local CA and do wild card certs for all my local domains. or at least the ones that have web servers. I think with a local CA you don't get the invalid certificate warnings. You need to import a cert file in the browser or something. Need to read up more on it.

How to disable the "insecure password" warning in Firefox

No Lifer

Diamond Member

No Lifer

Diamond Member

No Lifer

Diamond Member

No Lifer

Diamond Member

No Lifer

Diamond Member

No Lifer

Diamond Member

Diamond Member

Diamond Member

Diamond Member

No Lifer