Closed Bug 1185443 Opened 10 years ago Closed 6 years ago

Firefox fills in wrong type="password" input field without checking "name" attribute

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 623910
Tracking Flags:
Tracking Status
firefox39 --- affected
firefox40 --- affected
firefox41 --- affected
firefox42 --- affected

People

(Reporter: atlantidu, Unassigned)

References

Details

(Keywords: reproducible)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Steps to reproduce: Windows 8.1 Pro x64 Firefox fill other password field (with another "name" attribute and on other page). 1. Login in some site (with saving login and passwords) 2. Go to page for Change password (may be settings) 3. Firefox finds a first field with type "password" and put into it saved password. But this may be NOT field "old password" but "new password". the 38 version of this problem is missing. autocomplete="off" does not solve the problem Actual results: Firefox use different field for autocomplete, and did not check it for compliance by attribute "name" (it is not "password" and "new_password") Expected results: The field should be empty, since it has a different name
Component: Untriaged → Layout: Form Controls
OS: Unspecified → Windows 8.1
Product: Firefox → Core
Hardware: Unspecified → x86_64
Keywords: cert-waiver
Keywords: cert-waiver
Component: Layout: Form Controls → Form Manager
Product: Core → Toolkit
@Matt: is this form manager behavior a bug or a feature? hi VIktor. Thanks for reporting this problem! Is the problem you see that Firefox fills in your saved password into the first password input field on a page (such as a website's "Change Password" page), regardless of the input field's "name" attribute? I can reproduce this problem on Hacker News. On Hacker News' login page, the "name" attribute of the password field is "pw": https://news.ycombinator.com/login <input type="password" name="pw" size="20"> Hacker News' "Change Password" page has two type="password" input fields. The first password field is labelled "Current Password" and its "name" attribute is "oldpw". The second password field is labelled "New Password" and its "name" attribute is "pw" (like the login page). But Firefox fills my current password into the "Current Password" field, even though its "name" attribute is "oldpw", not "pw". On one hand, Firefox is doing the right thing: my current password is filled into the password field labelled "Current Password". On the other hand, that password field's "name" attribute does not match the "name" attribute for the login page from which it was saved. https://news.ycombinator.com/changepw <form method="post" action="/r"> <input type="hidden" name="fnid" value="EwFFrczuufxuTTwt7F5wbC"> <input type="hidden" name="fnop" value="changepw-page"> <table border="0"> <tr><td>Current Password:</td><td><input type="password" name="oldpw" size="20"></td></tr> <tr><td>New Password:</td><td><input type="password" name="pw" size="20"></td></tr> <tr><td></td><td><input type="submit" value="Change"></td></tr> </table> </form>
Status: UNCONFIRMED → NEW
status-firefox39: --- → affected
status-firefox40: --- → affected
status-firefox41: --- → affected
status-firefox42: --- → affected
Ever confirmed: true
Flags: needinfo?(MattN+bmo)
Keywords: reproducible
OS: Windows 8.1 → All
Hardware: x86_64 → All
Summary: Browser does fills another field and don't checked attribute "name" → Firefox fills in wrong type="password" input field without checking "name" attribute
Version: 39 Branch → Trunk
Autocomplete is a very correct and helpful. But to fill up the first available password field is a courageous decision :D
I reported a similar problem. see: Bug 1197545 - autocompletion of credentials (userId/Password) wrongly done on any field preceding a field having type="password"
Component: Form Manager → Password Manager
We don't consider @name for our heuristics.
Flags: needinfo?(MattN+bmo)

Bug 623910 may help for login forms. The site can also now use autocomplete="new-password" to tell browsers that a field is for a new password instead of a current-password.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.