A few tests

CONTACT: Jerry Decime with questions. This site is for security research and demonstration purposes only. The associated domains are for use in demonstrating the dangers of vanity domains and their associated uses and in no way are used in the marketing of products which could be confused with trademark holders.

Here are some XSA browser tests:

1) microsoft-authenticatior (http)

2) microsoft-authenticator (https)

3) 401 basic auth (http)
Expected behavior: browser should load http://microsoft-authenticator.com/auth in the address bar and not prompt the user for credentials within the secure origin of the originating site. No padlock should be present.

4) 401 basic auth (https)

4.a) 401 basic auth _self target

4.b) 401 basic auth _blank target

4.c) 401 basic auth _top target

4.d) 401 basic auth _parent target

Expected behavior of 4.x tests: browser should load https://microsoft-authenticator.com/auth in the address bar and not prompt the user for credentials within the secure origin of the originating site. The padlock should be present.

Start mixed auth testing below:

5) Mixed content (aka: mixed mode)

6) Mixed content authentication

7) Mixed content authentication where an http request for an image on microsot-authenticator.com is redirected to https on f1-wireless.com

8) HTTP link from HTTPS context
Expected behavior: browser should load https://apple-identity.com/auth in the address bar and not prompt the user for credentials within the secure origin of the originating site. The paddlock should be present.

9) iFrames
Expected behavior: browser will prompt for credentials with no known good mitigation strategy at this time. Be carefull when using iFrames as the referenced site can prompt auth credentials within the secure origin of the originating site!

10) Sandboxed iFrames
Expected behavior: iFrame sandboxes do not prevent HTTP auth dialogs but should.