Open Bug 1119454 (password-recipes) Opened 6 years ago Updated 8 months ago
[meta] Support per-sites recipes for capturing and filling the user's login credentials
The password manager uses a set of imperfect heuristics to capture and fill users' login credentials. Although we strive for these heuristics to work on as many sites as possible, they will unfortunately do the wrong thing sometimes. From past experience, I've found that having a lightweight, maintainable "recipes" system in the password manager can help both devs and end users fix errant sites. Some of things recipes can help with: * explicitly specifying the username or password field for a site (when our heuristics identify the wrong one) * explicitly specifying what is *not* a username or password field (similar problem to above, but a different solution) * supporting multi-stage logins (username on first page, password entry on second) * supporting multi-domain realms (multiple domains that use the same login credentials) * supporting multi-realm domains (e.g., mailman) * supporting sites that require multiple usernames to log in (e.g., email and subscriber ID for a health insurer) * supporting sites that use multiple password fields to log in
We'll need to decide on how we'll specify recipes. My previous project specified them in a YML file with a list of entries of the format <domain>: <config>. For informational purposes, I've attached that file to this bug. Take it with a grain of salt. The documentation in the comments is probably more useful than the actual configurations. Also, my previously project was trying more "ambitious" things, like form auto-submit and overlaying our own UI over the site's login form. There some recipes supporting that functionality which are likely going to be irrelevant. (Lesson learned: don't try to do auto-submit "forms" and don't try to alter the UX too much on the page. It's too fragile.)
Recipes to fix issues with HTTP Basic Auth and Digest Auth would also be handy.
Given the amount of noise in the initial attachment, I've pruned it down a bit to what's relevant.
(In reply to Chris Karlof [:ckarlof] from comment #0) > * explicitly specifying the username or password field for a site (when our > heuristics identify the wrong one) > * explicitly specifying what is *not* a username or password field (similar I broke this part down into bug 1120129 so I can start making it block website bugs which will need that type of recipe.
:dolske raised the following point on IRC and I think it's a good one: 12:53 PM <@dolske> ckarlof: one thing we might want to consider for recipees... I wonder if we should have the ability for a recipee's domain to not be just a site (ie, literal DNS domain) but also something detected on any page. 12:54 PM <@dolske> the specific case I'm thinking of is mailman. 12:54 PM <@dolske> (although it might not be a great example) 12:55 PM <@dolske> being able to make a login specific to a particular path is needed there. If the recipee for doing that was per-host, it would grow to be a gigantic list. Having a "for pages that look like mailman, do this" kind of recipee would be useful.
This is ready to break down.
A recipe to support our Okta SSO would be a good starting place.
Assignee: nobody → MattN+bmo
Status: NEW → ASSIGNED
Hi Matt, can you provide a point value.
Iteration: --- → 38.2 - 9 Feb
Assignee: MattN+bmo → nobody
Status: ASSIGNED → NEW
Iteration: 38.3 - 23 Feb → ---
Points: 5 → ---
Priority: P1 → --
Summary: Breakdown: Support per-sites recipes for capturing and filling the user's login credentials → Support per-sites recipes for capturing and filling the user's login credentials
Release Note Request (optional, but appreciated) [Why is this notable]: Improved capability to manage passwords. [Suggested wording]: Not sure yet. Depends on what sites we have ready when we launch this feature [Links (documentation, blog post, etc)]:
Matt, did we more or less ship this? I don't want to keep this in release notes triage if we already shipped an earlier version, or if we don't have concrete plans to ship it.
This is a meta bug and we shipped a few different recipe types in dependencies. I don't think we need to track a relnote for this meta bug.
Summary: Support per-sites recipes for capturing and filling the user's login credentials → [meta] Support per-sites recipes for capturing and filling the user's login credentials
You need to log in before you can comment on or make changes to this bug.