Closed Bug 1330810 Opened 3 years ago Closed 3 years ago

Password Manager mistakenly thinks United Airlines online-checkin "Edit Frequent Flyer Details" form is a password form


(Toolkit :: Password Manager: Site Compatibility, defect)

Not set



Tracking Status
firefox53 --- fixed


(Reporter: dholbert, Assigned: MattN)





(2 files)

 0. Have a United Flight that you can check in for.
    (Sorry, this is kind of a limiting factor on testing this bug)

 1. Have two different logins saved for in Password Manager
 2. Visit to checkin for a United flight.
 3. Click "Edit Frequent Flyer Details"
 4. If you don't already have a Frequent Flyer program selected, choose one and enter some value.
 5. Click "Continue"

Firefox pops up a modal dialog, asking me which account I'd like to change the password for.  (But I'm not intending to change the password... Nor did I even just enter a password.)

EXPECTED RESULTS: No such popup.
Here's a screenshot of the popup that I hit.
Tested in a fresh profile now (with no saved logins) -- there, the STR produce a doorhanger that says:
> Would you like Nightly to save this password for
> Username: [No username]
> Password: F....7 (my frequent flier number)

And then if I save a (bogus) login by typing in "bogus"/"bogus" at in a separate tab and accepting that into the Password Manager, then my STR produce slightly different results, with a doorhanger again:
> Would you like to update this login?
> Username: bogus
> Password: F....7 (my frequent flier number)

INTERESTING NOTE: In my case, I'm checking in for *two people*, so the form shows me two different frequent flier number fields. If I enter values into *both* fields, then Firefox doesn't prompt me with anything. (But it does in the saved version of the website that I just mailed to MattN, I think)
So really the underlying problem is that we're thinking this is a login form (or perhaps a change-password form), but it's really not. I think we need to prevent ourselves from interpreting this "edit frequent flyer details" page as a login form.
For now I'll make a recipe to not save anything on this URL.
Assignee: nobody → MattN+bmo
Component: Password Manager → Password Manager: Site Compatibility
I tested a local build with this patch & bug 1330829's patches applied (using a fresh profile, and then a profile with 1 saved login, and then a profile with 2 saved logins), and I confirmed I didn't get any notifications when performing the STR.

(And I saw "skipping password field ... due to recipe" in my browser console output, via the "signon.debug" about:config logging pref)

So, from a bug-reporter perspective, MattN's fixes seem to do the trick!
(In reply to Daniel Holbert [:dholbert] from comment #6)
> I tested a local build with this patch & bug 1330829's patches

(sorry, typo -- I meant to say "& bug 1330829's *patch*" -- singular, as there's only one patch on that bug.)
Comment on attachment 8826430 [details]
Bug 1330810 - Disable password manager on
Attachment #8826430 - Flags: review?(jhofmann) → review+
Thanks for checking, Daniel!
Pushed by
Disable password manager on r=johannh
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.