input with autocomplete=off shows history of entered values

UNCONFIRMED
Unassigned

Status

()

Toolkit
Password Manager
UNCONFIRMED
2 years ago
2 years ago

People

(Reporter: Katarína Michaličková, Unassigned, NeedInfo)

Tracking

44 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822

Steps to reproduce:

I made a simple web login page -> 
- input (name:username, type:text, autocomplete:off, autofocus) 
- input (name:pass, type:password)


Actual results:

When page is loaded no suggestions appear after clicking the input(name:username) - that´s OK, 
but when I click somewhere else to loose focus a then back in the input more times... suggestions appear (from all pages with same input(name:username) )


Expected results:

No suggestions should appear for user security.

Comment 1

2 years ago
Not a security issue. I believe that form autocomplete falls into the password manager bugzilla component, but Matt could you confirm?
Group: firefox-core-security
Component: Untriaged → Password Manager
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #1)
> Not a security issue. I believe that form autocomplete falls into the
> password manager bugzilla component, but Matt could you confirm?

Form autocomplete is Toolkit::Form Manager (/toolit/components/satchel/) unless the field is for a username, in which case it's password manager.

(In reply to Katarína Michaličková from comment #0)

Hello Katarína,

> When page is loaded no suggestions appear after clicking the
> input(name:username) - that´s OK, 

We never show suggestions upon single click, only double-click, click then typing, or click then down arrow, etc.

> but when I click somewhere else to loose focus a then back in the input more
> times... suggestions appear (from all pages with same input(name:username) )

So you're saying that form history suggestions appear, not saved logins?

> Expected results:
> 
> No suggestions should appear for user security.

It's questionable what the security benefit of not remembering a username is.

Please attach an HTML test case that demonstrates the problem since I'm not sure if you're describing expected behaviour or not.

We intentionally don't honour autocomplete=off anymore on username or passwords fields since it should be up to the user to decide whether to save their login as password managers have been shown to lead to increased security through less password re-use and more complex passwords. In that case, selecting the username should fill the password but it seems like that's not what you're seeing so there may be a bug but I can't say for sure without a test case or more details.

See https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
Flags: needinfo?(MattN+bmo) → needinfo?(katienka.mich)
You need to log in before you can comment on or make changes to this bug.