The password manager uses a set of imperfect heuristics to capture and fill users' login credentials. Although we strive for these heuristics to work on as many sites as possible, they will unfortunately do the wrong thing sometimes. From past experience, I've found that having a lightweight, maintainable "recipes" system in the password manager can help both devs and end users fix errant sites. Some of things recipes can help with: * explicitly specifying the username or password field for a site (when our heuristics identify the wrong one) * explicitly specifying what is *not* a username or password field (similar problem to above, but a different solution) * supporting multi-stage logins (username on first page, password entry on second) * supporting multi-domain realms (multiple domains that use the same login credentials) * supporting multi-realm domains (e.g., mailman) * supporting sites that require multiple usernames to log in (e.g., email and subscriber ID for a health insurer) * supporting sites that use multiple password fields to log in
We'll need to decide on how we'll specify recipes. My previous project specified them in a YML file with a list of entries of the format <domain>: <config>. For informational purposes, I've attached that file to this bug. Take it with a grain of salt. The documentation in the comments is probably more useful than the actual configurations. Also, my previously project was trying more "ambitious" things, like form auto-submit and overlaying our own UI over the site's login form. There some recipes supporting that functionality which are likely going to be irrelevant. (Lesson learned: don't try to do auto-submit "forms" and don't try to alter the UX too much on the page. It's too fragile.)
Recipes to fix issues with HTTP Basic Auth and Digest Auth would also be handy.
Given the amount of noise in the initial attachment, I've pruned it down a bit to what's relevant.
(In reply to Chris Karlof [:ckarlof] from comment #0) > * explicitly specifying the username or password field for a site (when our > heuristics identify the wrong one) > * explicitly specifying what is *not* a username or password field (similar I broke this part down into bug 1120129 so I can start making it block website bugs which will need that type of recipe.
:dolske raised the following point on IRC and I think it's a good one: 12:53 PM <@dolske> ckarlof: one thing we might want to consider for recipees... I wonder if we should have the ability for a recipee's domain to not be just a site (ie, literal DNS domain) but also something detected on any page. 12:54 PM <@dolske> the specific case I'm thinking of is mailman. 12:54 PM <@dolske> (although it might not be a great example) 12:55 PM <@dolske> being able to make a login specific to a particular path is needed there. If the recipee for doing that was per-host, it would grow to be a gigantic list. Having a "for pages that look like mailman, do this" kind of recipee would be useful.
This is ready to break down.
A recipe to support our Okta SSO would be a good starting place.
Hi Matt, can you provide a point value.
Release Note Request (optional, but appreciated) [Why is this notable]: Improved capability to manage passwords. [Suggested wording]: Not sure yet. Depends on what sites we have ready when we launch this feature [Links (documentation, blog post, etc)]: