Open Bug 1427543 Opened 6 years ago Updated 6 months ago

make signon.autofillForms = false the default

Categories

(Toolkit :: Password Manager, task, P3)

Product:
Toolkit
Component:
Password Manager
Type:
task

Tracking

()

People

(Reporter: jkt, Unassigned)

References

(Depends on 2 open bugs, Blocks 1 open bug)

Details

(Keywords: parity-safari, sec-want) 

Given the changes in improving the account discoverability firefox now shows the available accounts on a single click, clicking the account populates it: https://bugzilla.mozilla.org/show_bug.cgi?id=1311301

Also given the recent focus of trackers to exploit autofill: https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/

Firefox should consider removing populating forms by default.
Summary: Consider making signon.autofillForms = true to be the default → Consider making signon.autofillForms = false to be the default
Would it be possible to taint form elements created by 3rd party scripts and change default behavior there?  Or possibly prevent 3rd party scripts from "seeing" auto-filled values until the user interacts with it?
Last time we spoke to the DOM team about the work involved in tainting DOM elements in this manner it sounded like numerous quarters of work. Unless we have a desire to use that as a feature elsewhere it would be way too much work for this.
Could it be easier to do at a per-page level? When a third-party form element is created on a page, turn off auto-fill for the whole page?
There is also a dev-platform discussion for this: https://groups.google.com/forum/#!topic/mozilla.dev.platform/c0GD0iFzHro

The third party suggestion was proposed there and it's likely going to mean two things:
1. Confusion to users why sometimes autofill is/isn't working
2. Most sites won't get the advantage from autofill anyway due to the large number of forms created when a third party is loaded

Sites also still would be vulnerable to the exploit from third party scripts on their own forms too, so it would likely have to be all forms when a third party is loaded to be safe.
At https://senglehardt.com/demo/no_boundaries/loginmanager/ there is a simple test to verify the exploit. It can easily be mitigated by setting signon.autofillForms to "false" as default.

At the moment Firefox already has Auto-Fill turned off for insecure (HTTP) sites, so I think the average Firefox user won't be as confused as it might seem. He simply will click into the username field (as he already does on HTTP sites) and will be presented with the login data. The same is true when there are multiple options for filling the login form - the user has to click and select the identity he wants to use.

All in all I fully support the idea of the reporter to turn auto-fill completely off as default.
As jkt noted, we generally have a problem of dealing with multiple forms on the same page (bug 1304002). I wonder whether it makes sense to reduce autofilling to input interaction (i.e. when the user clicks on the input, autofill it). That would also solve bug 1304002.

There may or may not be problems with users entering their data very quickly and then colliding with autofill.
See Also: → 1304002
Depends on: 1174327
Priority: -- → P3
status-firefox58: affected → ---
status-firefox59: affected → ---
Priority: P3 → P2
Depends on: 1304002
See Also: 1304002

Safari has apparently shipped this but now they also auto-submit the form so it's the same number of clicks to fill and submit in the common case. I would be okay with that tradeoff.

Keywords: parity-safari
Depends on: 1579298
Priority: P2 → P3
Type: defect → enhancement
Keywords: sec-want
Summary: Consider making signon.autofillForms = false to be the default → make signon.autofillForms = false the default

Blog post about the Password Manager landscape that's getting some visibility: https://marektoth.com/blog/password-managers-autofill/

Type: enhancement → task
Blocks: 1755724
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.