Insecure content warning in converter password field

[johnjamesjacoby]

With the onset of HTTPS everywhere, today's web browsers are beginning to alert users about possible insecure content being transmitted across the web.

One place this is prevalent in bbPress is the database password field in the importer. In Chrome on a non-HTTPS domain, a warning will appear in the console with a link off to a Google page explaining the notice.

Future versions of web browsers have promised to continue to make these alerts more and more user intrusive, until the web is HTTPS and using SSL by default.

[johnjamesjacoby]

The easy solution is to switch the database password field away from a type of password and just use text. Browsers see password fields as globally insecure on non-HTTPS pages, which triggers the above warning.

The problem as I see it, is that the value of this field is saved to the database. This was originally so that subsequent queries from the batch processor aren't reliant on cookies, and so lengthy imports could be handed off to other admins without needing to re-enter those credentials.

I really don't consider the saving of the database password to the database a security problem by itself, but revealing the database password anywhere in the UI could be. The bbPress screens are protected by roles & capability checks, so it's not really a concern IMO, but it's worth documenting this bit for future discussion.

[johnjamesjacoby]

In 6677:

Converter: Add toggle to show/hide the database password contents.

This change provides a relatively sane middle-ground for insecure content warnings in the converter, by providing a button to toggle the password field back and forth to a text field. Ideally, in the future, there will be a legitimate way to do this.

Trunk, for 2.6. See #3153.

[johnjamesjacoby]

Let's call this fixed for 2.6, and revisit sometime in the future as browser security progresses.

[johnjamesjacoby]

Assigning all closed & unassigned tickets in the 2.6 milestone to myself.