Closed Bug 1406945 Opened 5 years ago Closed 5 years ago

Password prompt is show on each invocation of history.pushState or history.replaceState

Categories

(Toolkit :: Password Manager, defect, P1)

58 Branch
defect

Tracking

()

RESOLVED DUPLICATE of bug 1386283
Tracking Status
firefox56 --- fix-optional
firefox57 --- fix-optional
firefox58 --- fix-optional

People

(Reporter: hello, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/61.0.3163.79 Chrome/61.0.3163.79 Safari/537.36

Steps to reproduce:

* Open https://jsfiddle.net/xgL1wt31/ in Firefox
* Enter username and a password and click on "login"
* The remember password prompt is shown. Click on "Don't save"
* Click on "pushState"


Actual results:

The remember password prompt is shown each time you click on "pushState" (when history.pushState is invoked).


Expected results:

The remember password prompt should only be shown once and not after clicking on "Don't save" or anywhere else on the screen.

Web-Apps like mail.tutanota.com use the pushState API in order to manipulate the URL on each click of a user which currently triggers the password prompt and makes these webapps unusable.

A workaround for older Firefox releases was to click on (save) "Never". However, this button has been removed from the latest firefox releases which makes webapps that make use of the pushState API completely unusable for Firefox users.
Severity: normal → major
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
(In reply to Tutanota from comment #0)
> Web-Apps like mail.tutanota.com use the pushState API in order to manipulate
> the URL on each click of a user which currently triggers the password prompt
> and makes these webapps unusable.

Why does the username and password field remain in the page after login? Hopefully the username and password aren't still populated in the hidden fields. I would recommend that the fields be removed from the document after login. Is there a reason that can't be done?

Btw. it would only be unusable for users who didn't choose to save their login.

> A workaround for older Firefox releases was to click on (save) "Never".
> However, this button has been removed from the latest firefox releases which
> makes webapps that make use of the pushState API completely unusable for
> Firefox users.

The Never option should still be there in the dropdown on the Not Now button.
Blocks: 1166947
Flags: needinfo?(hello)
(In reply to Matthew N. [:MattN] (huge backlog; PM if requests are blocking you) from comment #1)
> Why does the username and password field remain in the page after login?
> Hopefully the username and password aren't still populated in the hidden
> fields. I would recommend that the fields be removed from the document after
> login. Is there a reason that can't be done?

Do you refer to the example at https://jsfiddle.net/xgL1wt31/? I am removing both text fields after the login from the dom on line 3 (document.body.removeChild(document.getElementById("login"))).

> Btw. it would only be unusable for users who didn't choose to save their
> login.

That is true. It is "only" relevant for users that care about privacy and maximum account security.

> > A workaround for older Firefox releases was to click on (save) "Never".
> > However, this button has been removed from the latest firefox releases which
> > makes webapps that make use of the pushState API completely unusable for
> > Firefox users.
> 
> The Never option should still be there in the dropdown on the Not Now button.

You are right about this! I just re-tested with Firefox 57 and 58 and the Never option is there. Sorry, I probably mixed this up with another browser...
Flags: needinfo?(hello)
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Priority: -- → P1
Resolution: --- → DUPLICATE
Duplicate of bug: 1386283
You need to log in before you can comment on or make changes to this bug.