Password autofill & autocomplete don't work on www.caljobs.ca.gov due to additional fields used as placeholders

NEW
Unassigned

Status

()

defect
5 years ago
3 years ago

People

(Reporter: MattN, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

()

Attachments

(1 attachment)

Posted file form extract
> Login Manager (content): form not filled, has autocomplete=off
> Login Manager (content): Password not filled. None of the stored logins match the username already present.


The problem is the 2nd input below is used for "placeholder" text instead of using @placeholder. I think we detect #ctl00$txtPassword2 as the username since it is @type=text and since @autocomplete=off is on the real password field, we don't even autofill it. Since the field we think is the username field gets hidden on focus, there isn't an autocomplete dropdown for the user to override autocomplete=off.

<form>
…
<input name="ctl00$txtUsername" maxlength="256" id="txtUsername" class="txtUsername" autocomplete="off" onfocus="setDefaultButton('ctl00_cmdLogin')" type="text">
…
<input name="ctl00$txtPassword2" maxlength="20" id="txtPassword2" class="txtPassword" onfocus="setDefaultButton('ctl00_cmdLogin')" autocomplete="off" style="" type="text">
<input style="display: none;" name="ctl00$txtPassword" maxlength="20" id="txtPassword" class="txtPassword" autocomplete="off" onfocus="setDefaultButton('ctl00_cmdLogin')" type="password">
…
</form>

Overriding autocomplete=off and providing a recipe for the username field (bug 1120129) would fix this site.

Comment 1

5 years ago
I don't see the point of filing this bug, since (1) many sites do the same and (2) it's certainly deliberate on the part of the site owner (which is why the field names change each time you connect to it).

Besides, I've worked around it using the Autofill add-on, which is good enough (although it would be nice if Autofill's data were password protected).
(In reply to John David Galt from comment #1)
> I don't see the point of filing this bug, since (1) many sites do the same

We want to know the list of sites so we can either make fixes to the heuristics or add a per-site recipe to override the behaviour of the heuristics for sites like this that do weird things.

> (2) it's certainly deliberate on the part of the site owner (which is
> why the field names change each time you connect to it).

I don't see the field name changing regularly but I think the ID is just how ASP.NET names it's field by default and isn't an attempt to prevent autocompletion (though the @autocomplete=off already is). It seems more likely that the additional <input type=text value==Password /> is the way the decided to implement the placeholder text instead of using the newer placeholder attribute for this purpose (probably because they didn't want to do feature-detection for older browsers).

We don't want users to have to install extensions to get a good UX for logging into sites.

Comment 3

5 years ago
Then why not just generalize the "remember password" functionality to autofill any field the user wants to save?  That must be simpler than incremental changes for every site.
That is one of the fallback behaviours we will likely add but that will still cause inconsistency between websites as some will still auto-fill and others the user will have to take some manual interaction but the user doesn't understand why they only have to do that on some websites. Not understanding why the fallback is only needed on some websites will reduce the trust in the password manager to Just Work™.
Component: Password Manager → Password Manager: Site Compatibility
You need to log in before you can comment on or make changes to this bug.