Open Bug 1120684 Opened 9 years ago Updated 8 months ago

Recipes that allow login credentials to be used across multiple domains (i.e., realms)

Categories

(Toolkit :: Password Manager, enhancement, P3)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement

Tracking

()

People

(Reporter: ckarlof, Unassigned)

References

(Depends on 1 open bug, Blocks 5 open bugs,
URL
)

Details

(Whiteboard: [passwords:recipes])

User Story

Sites that could still benefit from this:
* Country code TLDs (aka. ccTLDs): ADP, airBNB, Ancestry, eBay, Amazon, TicketMaster, Eventbrite, eHarmony, FourSquare, GlassDoor, Yelp, etc.
* Microsoft: login.live.com, login.microsoftonline.com
* Comcast/Xfinity: comcast.net, xfinity.com

MIT Licensed list: https://github.com/apple/password-manager-resources/blob/master/quirks/websites-with-shared-credential-backends.json

Attachments

(3 obsolete files) 

Some web sites span multiple origins, and the same login credentials can be used to authenticate oneself at all of the origins. I call this the "authentication realm" problem. It comes up in multiple contexts, including:

* the realm allows login on http and https pages
* the realm allows login from multiple subdomains
* the realm allows login from completely different domains

Currently, the password manager will store duplicate entries for each of the origins, which is not ideal, particularly if the credentials ever change.

This is bug is to support recipes to indicate that a set of origins should be treated as "the same" by the password manager for indexing, capturing, and filling purposes.
Blocks: 494593
Two things worry me:
* An evil recipe could steal your passwords from a target site. Are these recipes written/reviewed/released as part of Firefox?
* A recipe that equates origins with different security properties makes users less secure. Especially http vs https.
Blocks: 1166440
Whiteboard: [passwords:recipes]
(In reply to Jesse Ruderman from comment #1)
> Two things worry me:
> * An evil recipe could steal your passwords from a target site. Are these
> recipes written/reviewed/released as part of Firefox?
> * A recipe that equates origins with different security properties makes
> users less secure. Especially http vs https.

I would assume that the user is responsible for umtimately grouping domains together.
The Browser should do nothing but maybe give suggestions that need approval.

We already use the credentials for the non-encrypted version of a website on the encrypted counterpart.
Password changes are not synced back so new password won't be aautomatically submitted on the insecure part.
Type: defect → enhancement
Priority: -- → P3

Safari has this concept already and stores their recipes in the DomainsWithAssociatedCredentials key of WBSAutoFillQuirks.plist that ships with Safari.

This list will also be very useful for duplicate checking (bug 1118553) as a login probably shouldn't be considered a duplicate if the same credential is currently saved on two domains for the same "realm".

Blocks: 1118553
User Story: (updated)
User Story: (updated)

As a first step, is it crazy to grab the duplicate list from LastPass? It has a built in list that we could probably use, if the lawyers give it the OK.

It'd be nice for FF to have this list built in at the outset.

Getting a list of these sites from some external source is something we will consider.

For our future reference https://support.logmeininc.com/lastpass/help/duplicate-stored-passwords-across-multiple-sites-lp040007 talks about the default global list the LastPass has.

Blocks: 1610867

Mentioning this here from a related bug (Bug 1639737):

...it seems reasonable that if/when we implement realm support, we could provide a way for users to add their own realms if they would like to associate a login with multiple domains...

Attachment #9154440 - Attachment is obsolete: true
Attachment #9154440 - Flags: ui-review+
Attachment #9154440 - Flags: sec-approval?
Attachment #9154440 - Flags: review+
Attachment #9154440 - Flags: feedback+
Attachment #9154440 - Flags: data-review+
Attachment #9154440 - Flags: checkin+
Attachment #9154440 - Flags: approval-mozilla-release?
Attachment #9154440 - Flags: approval-mozilla-esr68?
Attachment #9154440 - Flags: approval-mozilla-beta?
Attachment #9154440 - Flags: a11y-review+

Apple has open-sourced their realm list under an MIT license! https://github.com/apple/password-manager-resources/blob/master/quirks/websites-with-shared-credential-backends.json

User Story: (updated)
Assignee: nobody → tgiles
Status: NEW → ASSIGNED
Priority: P3 → P2
Depends on: 1687813
Depends on: 1687996
Attachment #9177498 - Attachment description: Bug 1120684 - Allow autocomplete to use related realm credentials. → Bug 1120684 - Allow autocomplete to use related realm credentials. r=sfoster!,leplatrem!,dimi

Comment on attachment 9199383 [details]
Bug 1120684 - Add websites-with-shared-credential-backends dump to tree. r=leplatrem

Revision D103105 was moved to bug 1687996. Setting attachment 9199383 [details] to obsolete.

Attachment #9199383 - Attachment is obsolete: true
Depends on: 1699698

Comment on attachment 9177498 [details]
Bug 1120684 - Allow autocomplete to use related realm credentials. r=sfoster!,leplatrem!,dimi

Revision D91205 was moved to bug 1699705. Setting attachment 9177498 [details] to obsolete.

Attachment #9177498 - Attachment is obsolete: true

Excuse me for the duplicate :(

I read all the bug and one thing maybe is not mentioned: will it be possible for the end user to add domains on his own configuration?

Priority: P2 → P3
Assignee: tgiles → nobody
Status: ASSIGNED → NEW
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.