Open Bug 1298952 Opened 8 years ago Updated 2 years ago

Password manager asking to add a username to a password-only login when the form wasn't interacted with

Categories

(Toolkit :: Password Manager, defect, P3)

defect

Tracking

()

Tracking Status
firefox48 --- unaffected
firefox49 --- unaffected
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- wontfix
firefox52 --- fix-optional
firefox53 --- fix-optional

People

(Reporter: blassey, Unassigned)

References

(Blocks 1 open bug, )

Details

(Keywords: regression, Whiteboard: [passwords:heuristics])

Attachments

(2 files)

I'm seeing this on expensify.com. Every time I click a link to navigate, the "would you like to update this login" doorhanger appears
[Tracking Requested - why for this release]:

Thanks for the report. This is likely from bug 1166947.

Does Firefox have a saved password for this account? Is both the username and password match correct in Saved Passwords?
Assignee: nobody → MattN+bmo
Blocks: 1166947
Status: NEW → ASSIGNED
Keywords: regression
Priority: -- → P1
Tracking 51+ for this regression.
Could you provide answers to comment 1? I can't reproduce with my profile
Flags: needinfo?(blassey.bugs)
Has STR: --- → no
Keywords: steps-wanted
(In reply to Matthew N. [:MattN] from comment #3)
> Could you provide answers to comment 1? I can't reproduce with my profile
Sorry, I thought I did (might have mid-aired). Yes I have a password and yes it matches
Flags: needinfo?(blassey.bugs)
So I can see that we run the capture code upon navigation because there is a formless password field for Freshbooks integration which we autofill (I censored my email address below):
> LoginManagerContent: Username field  <input id="dialog_freshbooks_company" name="freshbooks_company" class="medium" type="text"> has name/value: freshbooks_company / mnooXXXberghe@mozilla.com  LoginManagerContent.jsm:749
> LoginManagerContent: Password field <input id="dialog_freshbooks_token" name="freshbooks_token" type="password"> has name:  freshbooks_token  LoginManagerContent.jsm:757

In my case I get the following:
> LoginManagerParent: Found an existing login matching this form submission  LoginManagerParent.jsm:409
> nsLoginManager: Modifying login  nsLoginManager.js:324

Which means that we found an exact match for the saved login so we aren't prompting to update/save and then we update the metadata for timesUsed/timeLastUsed, etc. (the latter isn't ideal but it's not annoying the user).

(In reply to Brad Lassey [:blassey] (use needinfo?) from comment #4)
> (In reply to Matthew N. [:MattN] from comment #3)
> > Could you provide answers to comment 1? I can't reproduce with my profile
> Sorry, I thought I did (might have mid-aired). Yes I have a password and yes
> it matches

Are you sure both the username and password matches exactly? Do you only have one saved login for *expensify.com (http or https)? If you could attach the Debug Logging[1] like I did it would help a lot.

Thanks

[1] https://wiki.mozilla.org/Firefox:Password_Manager_Debugging
Flags: needinfo?(blassey.bugs)
In the interest of a quick reply, when I said it matches, I'm basing that on the fact that I logged in using that saved username/password combo
onLocationChange handled: "https://www.expensify.com/reports" <unavailable>  LoginManagerContent.jsm:82
_onNavigation: state: <unavailable> loginFormRootElements size: 2 document: <unavailable>  LoginManagerContent.jsm:833
Ignoring navigation for the form root to avoid multiple prompts since it was for a real <form>  LoginManagerContent.jsm:841
_onFormSubmit <unavailable>  LoginManagerContent.jsm:859
_filterRecipesForForm <unavailable>  LoginRecipes.jsm:197
getFieldOverrides: filtered recipes: <unavailable>  LoginRecipes.jsm:222
Username field  <unavailable> has name/value: freshbooks_company / bXXXy@XXX.com  LoginManagerContent.jsm:749
Password field <unavailable> has name:  freshbooks_token  LoginManagerContent.jsm:757
nsLoginManager:Checking if logins to "https://www.expensify.com" can be saved.  nsLoginManager.js:440
nsLoginManager:Searching for logins  nsLoginManager.js:397
Login storage:_searchLogins: returning 2 logins for Object { hostname: "https://www.expensify.com", formSubmitURL: "https://www.expensify.com" } with options Object { schemeUpgrades: true }  storage-json.js:362
Login crypto:SDR slot status is 5 crypto-SDR.js:174
LoginManagerParent:Found an existing login matching this form submission  LoginManagerParent.jsm:409
LoginManagerParent:...empty username update, prompting to change.  LoginManagerParent.jsm:417
LoginManagerPrompter:===== initialized =====  nsLoginManagerPrompter.js:695
LoginManagerPrompter:promptToChangePassword  nsLoginManagerPrompter.js:1164
nsLoginManager:Searching for logins  nsLoginManager.js:397
Login storage:_searchLogins: returning 2 logins for Object { httpRealm: null, hostname: "https://www.expensify.com", formSubmitURL: "https://www.expensify.com" } with options Object { schemeUpgrades: true }  storage-json.js:362
Login crypto:SDR slot status is 5 crypto-SDR.js:174
Invalid chrome URI: /Attempt to set a forbidden header was denied: Connection  26856191-lcs_client_bin.js:94:385
Attempt to set a forbidden header was denied: Connection  2082066099-bc_manager_core.js:115:107

       
So if I read that right, the stored username/password combo doesn't have the username. However, the username is auto-filled when I log in.
Flags: needinfo?(blassey.bugs)
(In reply to Brad Lassey [:blassey] (use needinfo?) from comment #7)   
> So if I read that right, the stored username/password combo doesn't have the
> username. However, the username is auto-filled when I log in.

Thanks Brad. Yeah, in the password manager (which I asked you to look at in comment 1) it seems like you don't have a username saved but had a matching password. The page is probably pre-filling the username on the login page using a cookie value i.e. it's not coming from pwmgr/Firefox so that's why we're asking to add it.

In case it's not clear, if you click Update once, the prompt shouldn't appear again. If it does then there's a bigger problem.

This is really an issue since bug 1016051 which started offering to add a username to a password-only login but since the Expensify "form" in question doesn't use a <form>, this prompt only started appearing there after bug 1166947.

Some potential options to address this:
* Don't prompt to add a username if the user didn't interact with the form in some way. The downside is that means we won't capture a username in cases where the username is remembered via a cookie.
* For a given session, remember that we already asked about a origin+un+pw combo and don't keep asking for the same combo.

Since there is a somewhat obvious action for users to stop this (click Update or Never Remember), there was only one user report,  the prompt is actually trying to help the user who already uses pwmgr, and this only affects an uncommon scenario of hidden forms so I'm lowering the priority of this and removing tracking.

(It may be a regression by some definitions and I agree it's not an ideal behaviour for this specific case but I would consider it minor for the above reasons.)
Assignee: MattN+bmo → nobody
Blocks: 1016051
Severity: normal → minor
Status: ASSIGNED → NEW
Has Regression Range: --- → yes
Has STR: no → yes
Keywords: steps-wanted
OS: Unspecified → All
Priority: P1 → P3
Hardware: Unspecified → All
Summary: Password manager asking to save password on every navigation → Password manager asking to add a username to a password-only login when the form wasn't interacted with
Version: unspecified → Trunk
Whiteboard: [passwords:heuristics]
See Also: → 1388674
Attached file Test case
Blocks: 1588824
Severity: minor → S4
You need to log in before you can comment on or make changes to this bug.