Closed Bug 1330810 Opened 3 years ago Closed 3 years ago
Password Manager mistakenly thinks United Airlines online-checkin "Edit Frequent Flyer Details" form is a password form
STR: 0. Have a United Flight that you can check in for. (Sorry, this is kind of a limiting factor on testing this bug) 1. Have two different logins saved for united.com in Password Manager 2. Visit https://www.united.com/travel/checkin/ to checkin for a United flight. 3. Click "Edit Frequent Flyer Details" 4. If you don't already have a Frequent Flyer program selected, choose one and enter some value. 5. Click "Continue" ACTUAL RESULTS: Firefox pops up a modal dialog, asking me which account I'd like to change the password for. (But I'm not intending to change the password... Nor did I even just enter a password.) EXPECTED RESULTS: No such popup.
Here's a screenshot of the popup that I hit.
Tested in a fresh profile now (with no saved logins) -- there, the STR produce a doorhanger that says: > Would you like Nightly to save this password for united.com? > Username: [No username] > Password: F....7 (my frequent flier number) And then if I save a (bogus) login by typing in "bogus"/"bogus" at https://www.united.com/web/en-US/apps/account/signin.aspx in a separate tab and accepting that into the Password Manager, then my STR produce slightly different results, with a doorhanger again: > Would you like to update this login? > Username: bogus > Password: F....7 (my frequent flier number) INTERESTING NOTE: In my case, I'm checking in for *two people*, so the form shows me two different frequent flier number fields. If I enter values into *both* fields, then Firefox doesn't prompt me with anything. (But it does in the saved version of the website that I just mailed to MattN, I think)
So really the underlying problem is that we're thinking this is a login form (or perhaps a change-password form), but it's really not. I think we need to prevent ourselves from interpreting this "edit frequent flyer details" page as a login form.
For now I'll make a recipe to not save anything on this URL.
Assignee: nobody → MattN+bmo
Status: NEW → ASSIGNED
Component: Password Manager → Password Manager: Site Compatibility
3 years ago
Depends on: 1330829
I tested a local build with this patch & bug 1330829's patches applied (using a fresh profile, and then a profile with 1 saved login, and then a profile with 2 saved logins), and I confirmed I didn't get any notifications when performing the STR. (And I saw "skipping password field ... due to recipe" in my browser console output, via the "signon.debug" about:config logging pref) So, from a bug-reporter perspective, MattN's fixes seem to do the trick!
(In reply to Daniel Holbert [:dholbert] from comment #6) > I tested a local build with this patch & bug 1330829's patches (sorry, typo -- I meant to say "& bug 1330829's *patch*" -- singular, as there's only one patch on that bug.)
Comment on attachment 8826430 [details] Bug 1330810 - Disable password manager on www.united.com/travel/checkin/changefqtv.aspx. https://reviewboard.mozilla.org/r/104372/#review105140
Attachment #8826430 - Flags: review?(jhofmann) → review+
Thanks for checking, Daniel!
Pushed by firstname.lastname@example.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/5fd77a2de293 Disable password manager on www.united.com/travel/checkin/changefqtv.aspx. r=johannh
You need to log in before you can comment on or make changes to this bug.