1174327 - Add an Allow/Disallow autofill password option

Status: RESOLVED FIXED

(Toolkit :: Password Manager, defect, P2)

Description

[Tanvi Vyas[:tanvi]]

As described in bug https://bugzilla.mozilla.org/show_bug.cgi?id=1118511, autofilling passwords is a security issue.  I'm not sure we are going to come to a resolution on bug 1118511 soon, so in the meantime it would be great to give the user an option to opt-in/opt-out of autofilled passwords.  Ryan has proposed the following UX to add a checkbox for autofilling:
https://www.lucidchart.com/publicSegments/view/555b6d79-8c58-4c53-9bd9-1a560a004433/image.png

We can start with it being checked by default and then explore other default options.  (ex: Checked by default for https sites, unchecked by default for HTTP sites.  Or unchecked by default.)

Filing this bug to track the work to add the checkbox

Comment 2

[Ryan Feeley [:rfeeley]]

This question this brings up to me is how we handle exceptions. As I understand it today, our one option labelled "Ask to save logins and passwords for websites" actually represents something more like "Ask to save logins and passwords AND AUTOMATICALLY FILL THEM". If we separate these into two options, would we need exceptions lists for both or only for fill?

Comment 3

[Matthew N. [:MattN]]

(In reply to Ryan Feeley [:rfeeley] from comment #2)

This question this brings up to me is how we handle exceptions. As I understand it today, our one option labelled "Ask to save logins and passwords for websites" actually represents something more like "Ask to save logins and passwords AND AUTOMATICALLY FILL THEM". If we separate these into two options, would we need exceptions lists for both or only for fill?

Maybe… I was thinking as a first step that this new option would be indented under the existing one so we wouldn't need that for now. If we wanted to allow controlling autofill for an individual login I think that would make sense to be shown in the login list, not in a separate exceptions dialog IMO.

I also think we need to keep exceptions for remembering since users get annoyed when they are asked to save logins that they don't want to save (e.g. ones they find more sensitive like banking ones).

Comment 4

[Matthew N. [:MattN]]

I now notice that a nested checkbox won't work nicely here since we have two buttons on the right side already:

[x] Ask to save logins and passwords for websites [Exceptions…  ]
                                                  [Saved Logins…]

Maybe putting the checkbox at the bottom center of the list subdialog makes more sense?

Comment 5

[Ryan Feeley [:rfeeley]]

Attachment: autofill-checkbox.png

This gives users distinct control over whether or not passwords are autofilled without surfacing it to highly. Makes sense?

Comment 6

[:prathiksha]

Attachment: Bug 1174327 - Add an Allow/Disallow autofill password option. r?MattN

Add an Allow/Disallow autofill password option

Comment 7

[Matthew N. [:MattN]]

This should wait to land until after the soft code freeze. It ends on Monday.

Comment 8

[Pulsebot]

Pushed by prathikshaprasadsuman@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/684dcc4149ad
Add an Allow/Disallow autofill password option. r=MattN

Comment 9

[Cosmin Sabou [:CosminS]]

https://hg.mozilla.org/mozilla-central/rev/684dcc4149ad