1155390 - Don't prompt to update a password when there is no username field and the password is identical

Status: RESOLVED FIXED

(Toolkit :: Password Manager, defect)

Description

[Matthew N. [:MattN]]

+++ This bug was initially created as a clone of Bug #1152422 +++
> After bug 1101026 was fixed (by bug 1101029), Nightly remembered my 
> mozilla.okta.com password correctly. About a week ago, Nightly still remembered 
> my password, but would show a doorhanger asking if I would like to update my 
> (unchanged) saved password. Clicking the doorhanger's "Update Password" button 
> did not prevent the doorhanger from being shown next time.

Comment 1

[Matthew N. [:MattN]]

Attachment: MozReview Request: bz://1155390/MattN

/r/7161 - Bug 1155390 - Don't prompt to update a password when there is no username field and the password is identical. r=dolske

Pull down this commit:

hg pull -r d1aef64bec25c55fa16b98dfe16f2794bd81fee3 https://reviewboard-hg.mozilla.org/gecko/

Comment 2

[Matthew N. [:MattN]]

Comment on attachment 8593597 [details]
MozReview Request: bz://1155390/MattN

f? because this still needs a test

Also, I can imagine cases where a password change form has only 2 fields (no double-entry of the new password) and we could use our knowledge of the existing password (in storage) to guess that the field we normally detect as the old password field is actually the new password field. With this change we are placing more trust in getFormField to make the right decision about old vs. new password fields. If we ever implemented the "smarter" heuristics I just mentioned (without other improvements like checking .defaultValue) then we would have asked to update the user's password to the value "test" since that's what's hardcoded in input@name="hidden-password-2" and this fix would no longer work.

Whether we implement these changes or not, we could use recipes to override getFormFields so I guess it's a matter of making the heuristic correct for the more common case (and reducing introducing regressions) but I'm not sure which that is.

Comment 3

[Matthew N. [:MattN]]

Comment on attachment 8593597 [details]
MozReview Request: bz://1155390/MattN

/r/7161 - Bug 1155390 - Don't prompt to update a password when there is no username field and the password is identical. r=dolske

Pull down this commit:

hg pull -r c03873365472e9c5bfa509559da2108927869fbc https://reviewboard-hg.mozilla.org/gecko/

Comment 4

[Matthew N. [:MattN]]

I rebased on top of bug 1152422 since you were okay with that change and that makes this much easier to review. Do read comment 2 still though.

Comment 5

[Matthew N. [:MattN]]

Comment on attachment 8593597 [details]
MozReview Request: bz://1155390/MattN

This shouldn't have been cleared.

Comment 6

[Matthew N. [:MattN]]

Comment on attachment 8593597 [details]
MozReview Request: bz://1155390/MattN

/r/7161 - Bug 1155390 - Don't prompt to update a password when there is no username field and the password is identical. r=dolske

Pull down this commit:

hg pull -r f348d0492106f6d980df1c8f1ed2ae3e1dd34f00 https://reviewboard-hg.mozilla.org/gecko/

Comment 7

[Justin Dolske [:Dolske]]

Comment on attachment 8593597 [details]
MozReview Request: bz://1155390/MattN

https://reviewboard.mozilla.org/r/7159/#review6573

Ship It!

Comment 8

[Pulsebot]

https://hg.mozilla.org/integration/fx-team/rev/e93eb477c5aa

Comment 9

[Matthew N. [:MattN]]

https://hg.mozilla.org/integration/fx-team/rev/e93eb477c5aa

Comment 10

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/e93eb477c5aa

Comment 12

[Matthew N. [:MattN]]

Attachment: MozReview Request: Bug 1155390 - Don't prompt to update a password when there is no username field and the password is identical. r=dolske