Open Bug 1266381 Opened 8 years ago Updated 2 years ago

An empty user name is created when updating Yahoo's password


(Toolkit :: Password Manager: Site Compatibility, defect, P3)




Tracking Status
firefox48 --- affected


(Reporter: sbadau, Unassigned)





(1 file)

Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160420030213

[Affected versions]:
Nightly 48.0a1
Firefox Developer Edition 47.0a2
Firefox 46 RC build 4
Firefox 45.0.2 RC

[Affected platforms]:
Windows 10
Mac OS X 10.9
Ubuntu 15.04

[Steps to reproduce]:
1. Log into your Yahoo Mail account
2. In the upper right corner -> hover the mouse over the Help button -> click on the Account Info option
3. Click on Account Security -> Change Password
4. Enter a new password and confirm it.
5. Look at the password doorhanger.

[Expected result]:
The password doorhanger should prompt you to Update. The user name should be the same with the one the logging was done in step 1.

[Actual result]:
The password doorhanger prompts you to Remember the password. 
The user name from the password doorhanger is empty.
Two logins are saved for the same Yahoo account.
Please see the Screencast for more details.

[Regression range]:
Not sure this is a regression. I will investigate and post the results in regards to this as soon as possible.
Attached video YahooScreencast.mp4
Thanks for the report.

(In reply to Simona B [:simonab] from comment #0)
> [Regression range]:
> Not sure this is a regression. I will investigate and post the results in
> regards to this as soon as possible.

I doubt this is a regression as there are two problems that prevent this from working:
a) The change password form is on a different origin than the login form and we don't support realms: bug 1120684
b) The change password form doesn't include the username OR old password on the page so we wouldn't know this was a change (it looks like a registration with only 2 fields for the new password).

(a) is something we just need to do but (b) would be easiest to fix on Yahoo's side by having the username in a readonly/disabled or display:none <input>. Also note that (b) is somewhat addressed by the fact that the user can correct their username in the doorhanger and the button would switch from "Remember" to "Update" (if we had (a)). The other option for addressing (b) is a per-site recipe to tell pwmgr that any edit on that page or subdomain needs to be treated as a change though there will be UX problems with that since it's possible the user didn't have their old password for that account saved yet so it may actually be new to Firefox.
Component: Password Manager → Password Manager: Site Compatibility
Priority: -- → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.