Closed
Bug 1314478
Opened 8 years ago
Closed 8 years ago
Contextual Insecure Password Warning should show up for all username fields, even when there are no saved login
Categories
(Toolkit :: Password Manager, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla52
People
(Reporter: tanvi, Assigned: timdream)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
58 bytes,
text/x-review-board-request
|
MattN
:
review+
jcristau
:
approval-mozilla-aurora+
|
Details |
The Contextual Insecure Password Warning should show up on all username fields, even those where the user has no saved logins for a site. The way the codebase works today (along with the work in bug 1217162), the warning is only useful to users who use Firefox's Password Manager, and only on the sites where that user has a stored password. This is because we look for MarkAsLoginManagerField when deciding whether to show the dropdown. That is only set on username fields where the Login Manager has a saved password. It is not set on username fields if there are no Login Manager entries. There could be various solutions to this, and perhaps MattN can chime in on them. One is to create something like "MarkAsUsernameField"/ "MarkAsLoginField" / "MarkAsLoginFieldForInsecureWarning". And I believe Matt has another idea as well. We need to track this for Firefox 52. Without this, we will show the contextual warning on less than half of the pages that we should. Note that when we do https://bugzilla.mozilla.org/show_bug.cgi?id=1289913, we will show the warning on all password fields, regardless of whether there is a saved password. But, by the time the user is typing their password, they have already revealed information. Moreover, the user may look at their keyboard while entering the password and not look up to see the warning until their whole password is entered.
Assignee | ||
Comment 1•8 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #0) > There could be various solutions to this, and perhaps MattN can chime in on > them. One is to create something like "MarkAsUsernameField"/ > "MarkAsLoginField" / "MarkAsLoginFieldForInsecureWarning". And I believe > Matt has another idea as well. A quick decision here can help a lot :) (I believe the engineering required is not that much, once we know what to do)
Flags: needinfo?(MattN+bmo)
Comment 2•8 years ago
|
||
(In reply to Tim Guan-tin Chien [:timdream] (please needinfo) from comment #1) > (In reply to Tanvi Vyas [:tanvi] from comment #0) > > There could be various solutions to this, and perhaps MattN can chime in on > > them. One is to create something like "MarkAsUsernameField"/ > > "MarkAsLoginField" / "MarkAsLoginFieldForInsecureWarning". And I believe > > Matt has another idea as well. We'll call the above options A and B: * Option A (MarkAsUsernameField): I think the problem with this approach (other than the obvious duplication of code) is that we are making the insecure password warning such that it can only show up on login manager controlled fields so MarkAsUsernameField would have to be a subset of MarkAsLoginManagerField meaning we would lose the autocomplete results when pwmgr isn't used. * Option B (MarkAsLoginFieldForInsecureWarning): If MarkAsLoginFieldForInsecureWarning was only used on insecure forms then that would limit the downside mentioned above to only insecure forms which I think is okay. > A quick decision here can help a lot :) (I believe the engineering required > is not that much, once we know what to do) The reason we only mark username fields if there are saved logins is so that if a user doesn't save logins for a site, we at least help them by autocompleting their username. The ideal solution in terms of functionality (perhaps not UX) is bug 1166112 but that has some other dependencies and won't be ready for 52 when we want to release the warning. I had two other ideas to help show the warning more while still helping users with form history when pwmgr isn't used: * Option C: mark all username fields as login manager fields (with the existing method) but if there are no password manager results from mLoginManager->AutoCompleteSearchAsync, use formAutoComplete->AutoCompleteSearchAsync the results from formAutoComplete->AutoCompleteSearchAsync instead. Because of the async nature of async autocomplete population I think this may be too messy. * Option D (like B but without a new method): Mark all insecure username fields as login manager fields with the existing markAsLoginManagerField method but continue only marking secure username fields if there are saved logins. This requires adjusting code related to https://dxr.mozilla.org/mozilla-central/rev/3bfde35a0d18a643485ffd5073f3bc6a79e0ae48/toolkit/components/passwordmgr/LoginManagerContent.jsm#1017-1027 We need to move the markAsLoginManagerField earlier in the method before some of the early returns. I think option D is the simplest while limiting the regression of autocomplete on username fields without a saved login to only insecure ones so I recommend that we implement that.
Flags: needinfo?(MattN+bmo)
Comment 3•8 years ago
|
||
A testcase can be added to test_insecure_form_field_autocomplete.html
Reporter | ||
Comment 4•8 years ago
|
||
I spoke with Matt and agree we should go with Option D. This means: 1) Mark all insecure username fields with MarkAsLoginManagerField. This requires an update to this code. https://dxr.mozilla.org/mozilla-central/rev/3bfde35a0d18a643485ffd5073f3bc6a79e0ae48/toolkit/components/passwordmgr/LoginManagerContent.jsm#1017-1027 We shouldn't return early if no logins are found. Instead, we should check if the page is insecure. If the page is insecure, we should mark the field with "this._formFillService.markAsLoginManagerField(usernameField);" and then return. I'm not sure if we should check for security with hasInsecureLoginForms or isFormSecure: https://dxr.mozilla.org/mozilla-central/rev/3bfde35a0d18a643485ffd5073f3bc6a79e0ae48/toolkit/components/passwordmgr/LoginManagerContent.jsm#454 http://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/InsecurePasswordUtils.jsm#78 2) Add a test to test_insecure_form_field_autocomplete.html 3) Implications: When a user visits and insecure page with no saved logins, they previously could use the form history autocomplete to autocomplete a username. Now, the user will have access to form history autocomplete on insecure pages with no saved logins. We need someone to pick up this bug.
Assignee | ||
Updated•8 years ago
|
Flags: needinfo?(timdream)
Assignee | ||
Comment 5•8 years ago
|
||
Yeah, this is something I should be able to do this week as long as my schedule is not filled with meetings!
Assignee: nobody → timdream
Status: NEW → ASSIGNED
Flags: needinfo?(timdream)
Assignee | ||
Comment 6•8 years ago
|
||
I got the WIP ready and I am now working on the tests. The required fix on where comment 4 points at but is not exactly what's suggested here.
Assignee | ||
Comment 7•8 years ago
|
||
I have trouble figure out creating a valid test in test_insecure_form_field_autocomplete.html because the reproduction of this bug requires no saved login at the time the document is loaded. My newly added test reduces to the same form1 test case on that file. We'll probably need to add a new file (something I try to avoid...)
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 11•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=3b1115405cb19163d407952874170ea82e1698ae
Assignee | ||
Comment 12•8 years ago
|
||
:tanvi, it would be great if you could review this before :MattN. He might be OOO this week. Thanks!
Flags: needinfo?(tanvi)
Comment 13•8 years ago
|
||
(In reply to Tim Guan-tin Chien [:timdream] (please needinfo) from comment #7) > I have trouble figure out creating a valid test in > test_insecure_form_field_autocomplete.html because the reproduction of this > bug requires no saved login at the time the document is loaded. My newly > added test reduces to the same form1 test case on that file. We'll probably > need to add a new file (something I try to avoid...) You just need to change the form action so that the login doesn't match.
Comment 15•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review91312 Please double-check that the test fails without your code changes. r=me with the code movement below: ::: toolkit/components/passwordmgr/LoginManagerContent.jsm:975 (Diff revision 3) > + if (foundLogins.length == 0 && !usernameField) { > + // We don't log() here since this is a very common case. > + recordAutofillResult(AUTOFILL_RESULT.NO_SAVED_LOGINS); > + return; > + } Hey Tim, Why did you move this so high? It's going to change our telemetry data for no clear reason as it seems like it should only be moved right above "// Prevent autofilling insecure forms."
Attachment #8808087 -
Flags: review?(MattN+bmo) → review+
Comment hidden (mozreview-request) |
Assignee | ||
Comment 17•8 years ago
|
||
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, Patch changed so we don't trigger different telemetry flags.
Attachment #8808087 -
Flags: review+ → review?(MattN+bmo)
Assignee | ||
Comment 18•8 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #4) > I'm not sure if we should check for security with hasInsecureLoginForms or > isFormSecure: > https://dxr.mozilla.org/mozilla-central/rev/ > 3bfde35a0d18a643485ffd5073f3bc6a79e0ae48/toolkit/components/passwordmgr/ > LoginManagerContent.jsm#454 > http://searchfox.org/mozilla-central/source/toolkit/components/passwordmgr/ > InsecurePasswordUtils.jsm#78 By the way, |hasInsecureLoginForms| checks the top window and |isFormSecure| checks the actual form. We already have the formLike in _fillForm and it's possible to have an insecure from within a secure page, so the correct method to use is |isFormSecure|.
Reporter | ||
Comment 19•8 years ago
|
||
(In reply to Tim Guan-tin Chien [:timdream] (please needinfo) from comment #17) > Comment on attachment 8808087 [details] > Bug 1314478 - Always find and mark the usernameField on insecure pages, > > Patch changed so we don't trigger different telemetry flags. Interdiff showed the only change is moving the lines of code for telemetry: https://reviewboard.mozilla.org/r/91018/diff/3-4/ Matt, is this moved to the right place, or does it need to be two if blocks later, after: if (passwordField.disabled || passwordField.readOnly) { Tim, can you push to try again?
Assignee | ||
Comment 20•8 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #19) > (In reply to Tim Guan-tin Chien [:timdream] (please needinfo) from comment > #17) > Interdiff showed the only change is moving the lines of code for telemetry: > https://reviewboard.mozilla.org/r/91018/diff/3-4/ Please don't look at the interdiff but the actual patch. It has reduced to a very-easy-to-understand place. > Tim, can you push to try again? I did, through MozReview, see https://treeherder.mozilla.org/#/jobs?repo=try&revision=0b1746bf247b Though the bc7 errors should probably be investigated ...
Assignee | ||
Comment 21•8 years ago
|
||
Rebased and push again: https://treeherder.mozilla.org/#/jobs?repo=try&revision=4fe375c76e24a51df20ee512d1fbac6da56872c9
Assignee | ||
Comment 22•8 years ago
|
||
The patch might be in conflict with bug 1289913. Even if it's not, I should manually test the patch on top of that bug, after it lands.
Depends on: 1289913
Comment 23•8 years ago
|
||
(In reply to Tanvi Vyas [:tanvi] from comment #19) > (In reply to Tim Guan-tin Chien [:timdream] (please needinfo) from comment > #17) > > Comment on attachment 8808087 [details] > > Bug 1314478 - Always find and mark the usernameField on insecure pages, > > > > Patch changed so we don't trigger different telemetry flags. > > Matt, is this moved to the right place, or does it need to be two if blocks > later, after: > if (passwordField.disabled || passwordField.readOnly) { You're right. I believe it should be two if blocks later like I said before.
Comment 24•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92208
Attachment #8808087 -
Flags: review?(MattN+bmo)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 26•8 years ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=f466bd533e2180d71c77a8755b01be63084bb7d1
Comment 27•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92220 ::: toolkit/components/passwordmgr/LoginManagerContent.jsm:978 (Diff revision 5) > + // one. This is normally used to select from multiple accounts, > + // but even with one account we should refill if the user edits. > + // We would also need this attached to show the insecure login > + // warning, regardless of saved login. > + if (usernameField) { > + this._formFillService.markAsLoginManagerField(usernameField); This should move after the passwordField and readOnly/disabled checks too unless you're sure that it won't cause any undesired effects once we handle the first focus. Keeping it closer to where it was is less risky so that's what I would prefer.
Attachment #8808087 -
Flags: review?(MattN+bmo)
Comment hidden (mozreview-request) |
Comment 29•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92320 Thanks
Attachment #8808087 -
Flags: review?(MattN+bmo) → review+
Comment 30•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92322 ::: toolkit/components/passwordmgr/LoginManagerContent.jsm:943 (Diff revision 6) > > try { > - // Nothing to do if we have no matching logins available. > - if (foundLogins.length == 0) { > + // Nothing to do if we have no matching logins available, > + // and there isn't a need to show the insecure form warning. > + if (foundLogins.length == 0 && > + InsecurePasswordUtils.isFormSecure(form)) { Really the pref should be taken into account here so we don't regress behaviour when the insecure warning is disabled: `foundLogins.length == 0 && (InsecurePasswordUtils.isFormSecure(form) || !warningEnabled)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 32•8 years ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6a9cce73bbce6dcac150ba96f0fec48c74f5d2ba
Assignee | ||
Comment 33•8 years ago
|
||
(In reply to Matthew N. [:MattN] (away Nov. 3–7) from comment #30) > Really the pref should be taken into account here so we don't regress > behaviour when the insecure warning is disabled: > > `foundLogins.length == 0 && (InsecurePasswordUtils.isFormSecure(form) || > !warningEnabled) I added that, but this requires the pref to be flipped *before* the mochitest test page loads. Do you know if we have mechanics to do that? If we don't have something readily available, I would try to test this with within an iframe.
Flags: needinfo?(MattN+bmo)
Assignee | ||
Comment 34•8 years ago
|
||
Never mind, just found SpecialPowers.setBoolPref()
Flags: needinfo?(MattN+bmo)
Comment hidden (mozreview-request) |
Assignee | ||
Comment 36•8 years ago
|
||
try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=39f0bb28c62fa5b2bdb9f6202f2ed45889e46fe9
Comment 37•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92542 ::: toolkit/components/passwordmgr/LoginManagerContent.jsm:940 (Diff revisions 6 - 8) > + let prefShowInsecureFieldWarning = > + Preferences.get(PREF_INSECURE_FIELD_WARNING_ENABLED, false); See the first part of bug 1289913 comment 47 and the patch there about how to make this pref live. ::: toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_no_saved_login.html:37 (Diff revisions 6 - 8) > +// Set to pref before the document loads. > +SpecialPowers.setBoolPref( > + "security.insecure_field_warning.contextual.enabled", true); If you make the pref live using LoginHelper this may not need to change anymore. Does SpecialPowers.setBoolPref automatically clean up the pref at the end of the test file like pushPrefEnv does? If not, that needs to be handled.
Comment 38•8 years ago
|
||
mozreview-review |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92544 ::: toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_no_saved_login.html (Diff revisions 6 - 8) > return Promise.resolve(); > } > > -add_task(function* setup() { > - yield SpecialPowers.pushPrefEnv({"set": [["security.insecure_field_warning.contextual.enabled", true]]}); > - listenForUnexpectedPopupShown(); Also, is it intentional that you removed `listenForUnexpectedPopupShown()`?
Comment hidden (mozreview-request) |
Assignee | ||
Comment 40•8 years ago
|
||
mozreview-review-reply |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92542 > See the first part of bug 1289913 comment 47 and the patch there about how to make this pref live. Do you really want to touch this in this bug? I will ended up touching other part of LoginManagerContent.jsm that is unrelated to this bug. > If you make the pref live using LoginHelper this may not need to change anymore. Does SpecialPowers.setBoolPref automatically clean up the pref at the end of the test file like pushPrefEnv does? If not, that needs to be handled. > If you make the pref live using LoginHelper this may not need to change anymore. How? LoginHelper would still rely on actually flipping the pref right? > Does SpecialPowers.setBoolPref automatically clean up the pref at the end of the test file like pushPrefEnv does? If not, that needs to be handled. Fixed.
Comment hidden (mozreview-request) |
Comment hidden (mozreview-request) |
Assignee | ||
Comment 43•8 years ago
|
||
Rebased on top of latest m-c on top of bug 1289913. try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=9e2caba62ad78e1fc64f9f6479e7059cc8acc5a3
Comment 44•8 years ago
|
||
mozreview-review-reply |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92542 > Do you really want to touch this in this bug? I will ended up touching other part of LoginManagerContent.jsm that is unrelated to this bug. Yeah, after rebasing you got this for free. > > If you make the pref live using LoginHelper this may not need to change anymore. > > How? LoginHelper would still rely on actually flipping the pref right? > > > Does SpecialPowers.setBoolPref automatically clean up the pref at the end of the test file like pushPrefEnv does? If not, that needs to be handled. > > Fixed. Yeah, my point is that you can go back to the normal way of doing this with `yield SpecialPowers.pushPrefEnv({"set": [["security.insecure_field_warning.contextual.enabled", true]]});` in the "setup" task so you get cleanup for free (like you had in revision 7).
Comment 45•8 years ago
|
||
mozreview-review-reply |
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, https://reviewboard.mozilla.org/r/91018/#review92542 > Yeah, my point is that you can go back to the normal way of doing this with > `yield SpecialPowers.pushPrefEnv({"set": [["security.insecure_field_warning.contextual.enabled", true]]});` in the "setup" task so you get cleanup for free (like you had in revision 7). Ah, I forgot this check is in `_fillForm` so you would still need to set the pref before the field is found (like you are) unless you change the test to create the password field dynamically.
Comment 46•8 years ago
|
||
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/mozilla-inbound/rev/be95aa5249cf Always find and mark the usernameField on insecure pages, r=MattN
Comment 47•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/be95aa5249cf
Comment hidden (obsolete) |
Assignee | ||
Comment 50•8 years ago
|
||
Sorry, wrong bug: Approval Request Comment [Feature/Bug causing the regression]: Bug 1289913 [User impact if declined]: Incorrect behavior of bug 1289913 when enabled on Fx52. User will not be able to select previously saved login on HTTP page without this fix. [Is this code covered by automated tests?]: Yes [Has the fix been verified in Nightly?]: Yes [Needs manual test from QE? If yes, steps to reproduce]: See comment 0 [List of other uplifts needed for the feature/fix]: See dependency in bug 1289913 [Is the change risky?]: No [Why is the change risky/not risky?]: This changes make sure we still allow user to select a saved login on HTTP pages, when the feature is enabled. [String changes made/needed]: No
Comment 51•8 years ago
|
||
Sorry, I don't understand what "See dependency in bug 1289913" means in terms of other needed uplifts.
Flags: needinfo?(timdream)
Assignee | ||
Updated•8 years ago
|
Assignee | ||
Comment 52•8 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #51) > Sorry, I don't understand what "See dependency in bug 1289913" means in > terms of other needed uplifts. Sorry, the answer to that question should be "none" since other patches should have their own uplift requests requested.
Flags: needinfo?(timdream)
Comment 53•8 years ago
|
||
Comment on attachment 8808087 [details] Bug 1314478 - Always find and mark the usernameField on insecure pages, show insecure password warning on more forms, for aurora52
Attachment #8808087 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 54•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/40ddf243c06d
Comment 55•7 years ago
|
||
Verified as fixed on 53.0a1/20170116030326 and 52.0a2/20170112004017.
Updated•7 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•