Closed Bug 1330810 Opened 3 years ago Closed 3 years ago

Password Manager mistakenly thinks United Airlines online-checkin "Edit Frequent Flyer Details" form is a password form

Categories

(Toolkit :: Password Manager: Site Compatibility, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla53
Tracking Status
firefox53 --- fixed

People

(Reporter: dholbert, Assigned: MattN)

References

()

Details

Attachments

(2 files)

STR:
 0. Have a United Flight that you can check in for.
    (Sorry, this is kind of a limiting factor on testing this bug)

 1. Have two different logins saved for united.com in Password Manager
 2. Visit https://www.united.com/travel/checkin/ to checkin for a United flight.
 3. Click "Edit Frequent Flyer Details"
 4. If you don't already have a Frequent Flyer program selected, choose one and enter some value.
 5. Click "Continue"

ACTUAL RESULTS:
Firefox pops up a modal dialog, asking me which account I'd like to change the password for.  (But I'm not intending to change the password... Nor did I even just enter a password.)

EXPECTED RESULTS: No such popup.
Here's a screenshot of the popup that I hit.
Tested in a fresh profile now (with no saved logins) -- there, the STR produce a doorhanger that says:
> Would you like Nightly to save this password for united.com?
> Username: [No username]
> Password: F....7 (my frequent flier number)

And then if I save a (bogus) login by typing in "bogus"/"bogus" at https://www.united.com/web/en-US/apps/account/signin.aspx in a separate tab and accepting that into the Password Manager, then my STR produce slightly different results, with a doorhanger again:
> Would you like to update this login?
> Username: bogus
> Password: F....7 (my frequent flier number)

INTERESTING NOTE: In my case, I'm checking in for *two people*, so the form shows me two different frequent flier number fields. If I enter values into *both* fields, then Firefox doesn't prompt me with anything. (But it does in the saved version of the website that I just mailed to MattN, I think)
So really the underlying problem is that we're thinking this is a login form (or perhaps a change-password form), but it's really not. I think we need to prevent ourselves from interpreting this "edit frequent flyer details" page as a login form.
For now I'll make a recipe to not save anything on this URL.
Assignee: nobody → MattN+bmo
Status: NEW → ASSIGNED
Component: Password Manager → Password Manager: Site Compatibility
I tested a local build with this patch & bug 1330829's patches applied (using a fresh profile, and then a profile with 1 saved login, and then a profile with 2 saved logins), and I confirmed I didn't get any notifications when performing the STR.

(And I saw "skipping password field ... due to recipe" in my browser console output, via the "signon.debug" about:config logging pref)

So, from a bug-reporter perspective, MattN's fixes seem to do the trick!
(In reply to Daniel Holbert [:dholbert] from comment #6)
> I tested a local build with this patch & bug 1330829's patches

(sorry, typo -- I meant to say "& bug 1330829's *patch*" -- singular, as there's only one patch on that bug.)
Comment on attachment 8826430 [details]
Bug 1330810 - Disable password manager on www.united.com/travel/checkin/changefqtv.aspx.

https://reviewboard.mozilla.org/r/104372/#review105140
Attachment #8826430 - Flags: review?(jhofmann) → review+
Thanks for checking, Daniel!
Pushed by mozilla@noorenberghe.ca:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5fd77a2de293
Disable password manager on www.united.com/travel/checkin/changefqtv.aspx. r=johannh
https://hg.mozilla.org/mozilla-central/rev/5fd77a2de293
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.