Closed Bug 1506602 Opened 4 years ago Closed 2 years ago

The user can interact with the payment widget while the OS password prompt is displayed

Categories

(Firefox :: WebPayments UI, defect, P2)

All
Windows
defect

Tracking

()

VERIFIED FIXED
Firefox 76
Tracking Status
firefox76 --- verified

People

(Reporter: tbabos, Assigned: jaws)

References

Details

Attachments

(3 files, 1 obsolete file)

Attached video Video of the issue
[Affected versions]:
Nightly 65.0a1

[Affected platforms]:
Windows 7/10 x64

[Prerequisites]:
- set the pref dom.payments.request.enabled to "true"
- make sure to have at least one Shipping Address and saved CC 

[Steps to reproduce]:
1. Go to "https://rsolomakhin.github.io/pr/us/" and click on "Buy"
2. Select in all field valid options
3. Click on "Buy" 
4. After the OS user password prompt appears click back on the payment widget
5. Select in invalid Credit Card
6. Remove one digit from the CVV
7. Return to the OS password prompt and fill in the good password

[Expected Result]:
The user should not be able to interact with the payment widget at all if the OS password prompt is displayed.

[Actual Result]:
Since the user can change any value on the payment widget, the payment will be processed even with invalid values after filling in the OS password. Please see the attached file.

[Notes]:
This issue is only reproducible on Windows. On MAC it works as expected.
Flags: qe-verify+
Blocks: 1429265
Whiteboard: [webpayments] [triage]
J.C. do you know if there is a way to make this dialog modal?
Flags: needinfo?(jjones)
Flags: needinfo?(jjones) → needinfo?(dkeeler)
We just need to get a handle on the parent window somehow and set it here: https://hg.mozilla.org/mozilla-central/annotate/ccfeb561645b/security/manager/ssl/OSReauthenticator.cpp#l113
I think Franziskus is set up to take care of this most quickly, but he can kick it back to me if he doesn't have time.
Flags: needinfo?(dkeeler) → needinfo?(franziskuskiefer)
Hm, I somewhat expected this to happen. I'm not sure if we can determine the right window in the re-authenticator. I'd prefer getting the window handle passed in with the asyncReauthenticateUser call. I'll make a patch how that'd look.
Flags: needinfo?(franziskuskiefer)
This adds a parameter to the asyncReauthenticateUser pointing to the native parent Window (main Firefox window). This is set as parent for the Windows authentication dialogue, which makes it a modal.
So you'd pass in `window.docShell.treeOwner.QueryInterface(Ci.nsIBaseWindow).nativeHandle` as second argument.
Giving this a priority to move this out of the triage list. There is review feedback still open on attachment 9025009 [details], so assigning to :fanziskus. Please un-assign if you don't plan on working more on this.
Assignee: nobody → franziskuskiefer
Priority: -- → P3
Status: NEW → ASSIGNED
Priority: P3 → P1
Assignee: franziskuskiefer → nobody
Status: ASSIGNED → NEW
Priority: P1 → --
Assignee: nobody → franziskuskiefer
Attachment #9025009 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Assignee: franziskuskiefer → nobody
Status: ASSIGNED → NEW
Priority: -- → P2
Assignee: nobody → jaws
Status: NEW → ASSIGNED
Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a8b80ec1830e
Associate the OS auth dialog with the parent window on Windows to center the dialog and prevent the user from interacting with the browser while the dialog is present. r=MattN,keeler
https://hg.mozilla.org/integration/autoland/rev/0848e3945164
Show the full product name in the OS auth dialog. r=MattN,fluent-reviewers,flod
Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c94574243017
Associate the OS auth dialog with the parent window on Windows to center the dialog and prevent the user from interacting with the browser while the dialog is present. r=MattN,keeler
https://hg.mozilla.org/integration/autoland/rev/d91021dfef12
Show the full product name in the OS auth dialog. r=MattN,fluent-reviewers,flod
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 76
See Also: → 1623109

Hey Jared,
This is fixed on latest Nightly for Windows 10 x64/Windows 7 x64.
Checked it by toggling the OS auth prompt in about:logins (show password) as you suggested on slack.
However, on macOS (10.13) I can still interact with other tabs while the OS auth is displayed. Let me know if I should open a new bug for that.

Thanks!

Hi Timea, thanks for testing. Please file a bug for the 10.13 issue. Thanks!

Flags: needinfo?(jaws) → needinfo?(tbabos)
Depends on: 1625114

Submitted Bug 1625114 for that, thanks!
Closing this as verified - fixed for Windows.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Flags: needinfo?(tbabos)
You need to log in before you can comment on or make changes to this bug.