Closed Bug 1248614 Opened 8 years ago Closed 5 years ago

input with autocomplete=off shows history of entered values

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
44 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: katienka.mich, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

Steps to reproduce:

I made a simple web login page -> 
- input (name:username, type:text, autocomplete:off, autofocus) 
- input (name:pass, type:password)


Actual results:

When page is loaded no suggestions appear after clicking the input(name:username) - that´s OK, 
but when I click somewhere else to loose focus a then back in the input more times... suggestions appear (from all pages with same input(name:username) )


Expected results:

No suggestions should appear for user security.
Not a security issue. I believe that form autocomplete falls into the password manager bugzilla component, but Matt could you confirm?
Group: firefox-core-security
Component: Untriaged → Password Manager
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> Not a security issue. I believe that form autocomplete falls into the
> password manager bugzilla component, but Matt could you confirm?

Form autocomplete is Toolkit::Form Manager (/toolit/components/satchel/) unless the field is for a username, in which case it's password manager.

(In reply to Katarína Michaličková from comment #0)

Hello Katarína,

> When page is loaded no suggestions appear after clicking the
> input(name:username) - that´s OK, 

We never show suggestions upon single click, only double-click, click then typing, or click then down arrow, etc.

> but when I click somewhere else to loose focus a then back in the input more
> times... suggestions appear (from all pages with same input(name:username) )

So you're saying that form history suggestions appear, not saved logins?

> Expected results:
> 
> No suggestions should appear for user security.

It's questionable what the security benefit of not remembering a username is.

Please attach an HTML test case that demonstrates the problem since I'm not sure if you're describing expected behaviour or not.

We intentionally don't honour autocomplete=off anymore on username or passwords fields since it should be up to the user to decide whether to save their login as password managers have been shown to lead to increased security through less password re-use and more complex passwords. In that case, selecting the username should fill the password but it seems like that's not what you're seeing so there may be a bug but I can't say for sure without a test case or more details.

See https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
Flags: needinfo?(MattN+bmo) → needinfo?(katienka.mich)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
Flags: needinfo?(katienka.mich)
You need to log in before you can comment on or make changes to this bug.