The user can interact with the payment widget while the OS password prompt is displayed
Categories
(Firefox :: WebPayments UI, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox76 | --- | verified |
People
(Reporter: tbabos, Assigned: jaws)
References
Details
Attachments
(3 files, 1 obsolete file)
[Affected versions]: Nightly 65.0a1 [Affected platforms]: Windows 7/10 x64 [Prerequisites]: - set the pref dom.payments.request.enabled to "true" - make sure to have at least one Shipping Address and saved CC [Steps to reproduce]: 1. Go to "https://rsolomakhin.github.io/pr/us/" and click on "Buy" 2. Select in all field valid options 3. Click on "Buy" 4. After the OS user password prompt appears click back on the payment widget 5. Select in invalid Credit Card 6. Remove one digit from the CVV 7. Return to the OS password prompt and fill in the good password [Expected Result]: The user should not be able to interact with the payment widget at all if the OS password prompt is displayed. [Actual Result]: Since the user can change any value on the payment widget, the payment will be processed even with invalid values after filling in the OS password. Please see the attached file. [Notes]: This issue is only reproducible on Windows. On MAC it works as expected.
Updated•6 years ago
|
Comment 1•6 years ago
|
||
J.C. do you know if there is a way to make this dialog modal?
Updated•6 years ago
|
We just need to get a handle on the parent window somehow and set it here: https://hg.mozilla.org/mozilla-central/annotate/ccfeb561645b/security/manager/ssl/OSReauthenticator.cpp#l113 I think Franziskus is set up to take care of this most quickly, but he can kick it back to me if he doesn't have time.
Comment 3•6 years ago
|
||
Hm, I somewhat expected this to happen. I'm not sure if we can determine the right window in the re-authenticator. I'd prefer getting the window handle passed in with the asyncReauthenticateUser call. I'll make a patch how that'd look.
Comment 4•6 years ago
|
||
This adds a parameter to the asyncReauthenticateUser pointing to the native parent Window (main Firefox window). This is set as parent for the Windows authentication dialogue, which makes it a modal. So you'd pass in `window.docShell.treeOwner.QueryInterface(Ci.nsIBaseWindow).nativeHandle` as second argument.
Comment 5•6 years ago
|
||
Giving this a priority to move this out of the triage list. There is review feedback still open on attachment 9025009 [details], so assigning to :fanziskus. Please un-assign if you don't plan on working more on this.
Updated•6 years ago
|
Updated•5 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 6•4 years ago
|
||
Assignee | ||
Comment 7•4 years ago
|
||
Pushed by jwein@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a8b80ec1830e Associate the OS auth dialog with the parent window on Windows to center the dialog and prevent the user from interacting with the browser while the dialog is present. r=MattN,keeler https://hg.mozilla.org/integration/autoland/rev/0848e3945164 Show the full product name in the OS auth dialog. r=MattN,fluent-reviewers,flod
Comment 9•4 years ago
|
||
Backed out 8 changesets (bug 1506602, bug 1194529) for Browser-chrome failures in browser/browser_aaa_eventTelemetry_run_first.js. CLOSED TREE
Log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=292572332&repo=autoland&lineNumber=7029
Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&revision=0848e394516426235b75898a4172bfeefcb59178
Backout:
https://hg.mozilla.org/integration/autoland/rev/884162af76f5225bbf4efe486959d2fa9757bc56
Comment 10•4 years ago
|
||
Pushed by jwein@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c94574243017 Associate the OS auth dialog with the parent window on Windows to center the dialog and prevent the user from interacting with the browser while the dialog is present. r=MattN,keeler https://hg.mozilla.org/integration/autoland/rev/d91021dfef12 Show the full product name in the OS auth dialog. r=MattN,fluent-reviewers,flod
Comment 11•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c94574243017
https://hg.mozilla.org/mozilla-central/rev/d91021dfef12
Reporter | ||
Comment 12•4 years ago
|
||
Hey Jared,
This is fixed on latest Nightly for Windows 10 x64/Windows 7 x64.
Checked it by toggling the OS auth prompt in about:logins (show password) as you suggested on slack.
However, on macOS (10.13) I can still interact with other tabs while the OS auth is displayed. Let me know if I should open a new bug for that.
Thanks!
Assignee | ||
Comment 13•4 years ago
|
||
Hi Timea, thanks for testing. Please file a bug for the 10.13 issue. Thanks!
Reporter | ||
Comment 14•4 years ago
|
||
Submitted Bug 1625114 for that, thanks!
Closing this as verified - fixed for Windows.
Description
•