Closed Bug 1294194 Opened 4 years ago Closed 1 year ago

Don't prompt to re-save a filled login when used on a different origin

Categories

(Toolkit :: Password Manager, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox51 --- wontfix
firefox52 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox67 --- fixed

People

(Reporter: MattN, Assigned: jaws)

References

(Blocks 1 open bug)

Details

(Whiteboard: [passwords:fill-ui] )

Attachments

(1 file, 1 obsolete file)

In bug 1200472 and others we want to fill a login from an origin other than the one it's saved for but likely don't want to prompt to save it as a new login for that new origin upon submission. If we keep track of the guid of the login we filled then we can lookup that login and see if the username+password match upon submission to know whether to prompt or not. The state can probably be saved on the FormLike objects in _formLikeByRootElement.

Possible implementation:
1) Have LoginManagerContent.jsm's _fillForm record the guid of the filled login on the FormLike in _formLikeByRootElement.
2) Upon submission, lookup if a login was filled in _formLikeByRootElement. If so, check that the username and password matched the captured ones (in case the user corrected/changed the fields after filling) and if they match then don't prompt to remember the login as a new one.

We may want to also handle password changes where the username is the same but that may be fine in a follow-up depending on the implementation details/complexity. 

In the future we may want to track that we should auto-fill this login on this new origin but that can be left to a follow-up
Assignee: saad → nobody
Status: ASSIGNED → NEW
Iteration: --- → 54.1 - Feb 6
Flags: qe-verify?
Whiteboard: [FxPrivacy]
I'm going to implement only the minimal subset of this in bug 1330111 which is saving which username and password were filled. This bug will still have to handle sending that data through the prompt code and avoiding saving if it's a known login. WIP patch coming up.
Assignee: MattN+bmo → nobody
No longer blocks: 1330111
Status: ASSIGNED → NEW
Iteration: 54.1 - Feb 6 → ---
Depends on: 1330111
Flags: qe-verify? → qe-verify-
Whiteboard: [FxPrivacy]
Iteration: --- → 54.2 - Feb 20
Whiteboard: [FxPrivacy]
Whiteboard: [FxPrivacy] → [passwords:fill-ui]
Assignee: nobody → jaws
Status: NEW → ASSIGNED
Iteration: 54.2 - Feb 20 → ---
Attachment #8832356 - Attachment is obsolete: true
Summary: Keep track of which login is filled into a FormLike so we know it's not a new login when used on a different origin → Don't prompt to re-save a filled login when used on a different origin
Attachment #9048602 - Attachment description: Bug 1294194 - Keep track of which login is filled into a FormLike so we know it's not a new login when used on a different origin. r?MattN → Bug 1294194 - Don't prompt to re-save a filled login when used on a different origin. r?MattN
Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/bdf395eb0c64
Don't prompt to re-save a filled login when used on a different origin. r=MattN
Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/78ac916246b1
Don't prompt to re-save a filled login when used on a different origin. r=MattN
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67

Do you have an example of a website where I could reproduce and verify this bug? How should I proceed to verify it?

Flags: needinfo?(MattN+bmo)

I think what you can do for this bug and bug 1147563 is:

  1. Find a password field inside a <form> element on a public website (this might not work on sites which use CSP) and add/change the action attribute to point to a different origin e.g. action="https://localhost" (will give an error if you aren't running a localhost HTTPS server but that shouldn't affect the doorhanger behaviour which is relevant here)
  2. Submit the form and save the login. If you look in logins.json of your profile folder you should see the formSubmitURL is https://localhost.
  3. Reload that same login form without the action changes.
  4. Only after bug 1147563 and this bug, you should get autocomplete with that new login.
  5. Fill that new login via autocomplete
  6. Submit the form

Expected result:
No doorhanger to save the login again (with the new formSubmitURL)

Flags: needinfo?(jaws)
Flags: needinfo?(MattN+bmo)
You need to log in before you can comment on or make changes to this bug.