Open Bug 1546749 Opened 6 years ago Updated 3 years ago

Dojo Dijit's ValidationTextBox's dijitValidationIcon causes "X " to be saved as the username on login forms

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Product:
Toolkit
Component:
Password Manager: Site Compatibility
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox68 --- affected

People

(Reporter: MattN, Unassigned)

References

(
URL
)

Details

(Whiteboard: [passwords:heuristics])

User Story

Potential solutions:
A) Ignore a value of "X " for the username field detection
B) Ignore a match of .dijitValidationIcon for the username field detection
C) Ignore elements with `tabIndex="-1"` for the username field detection
D) Ignore elements with`readonly="readonly"` for the username field detection
E) Ignore elements with `role="presentation"` for the username field detection

Options C through E have the problem that they give sites additional ways to prevent saving data though maybe this is less of an issue for username fields than password fields. Keep in mind that attribute values could change at any point so, for example, @readonly at save time doesn't mean it was always read-only.

We don't have much precedence for doing something like (A) or (B) outside recipes… we had talked before about having recipes that can understand frameworks that are used… I also though before about having global recipes to keep the complexity outside of LoginManagerContent.
<input class="dijitReset dijitInputField dijitValidationIcon dijitValidationInner" value="&#935; "
       type="text" tabIndex="-1" readonly="readonly" role="presentation"/>

Source: https://github.com/dojo/dijit/blame/cf03701f919c956a02b0a04cf09f8c5593302fb9/form/templates/ValidationTextBox.html#L4

I don't understand why an <input> is used here rather than an <img> or a <div>.

Affected Sites (feel free to edit to add to this list):

This seems like a very specific problem, so I'm not sure it needs a generalized solution - with the risks that carries of opening new means of abuse and affecting other legitimate uses. A recipe sounds like a good mechanism, but I guess the problem is how to implement that without imposing a runtime penalty on every site using a form.

Flags: qe-verify+

Moving to P3 as this is not happening in the next release cycle.

Priority: P2 → P3
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.