Save a generated login immediately if there are no saved logins for the site

RESOLVED FIXED in Firefox 69

Status

()

enhancement
P2
normal
RESOLVED FIXED
3 months ago
7 days ago

People

(Reporter: MattN, Assigned: MattN, NeedInfo)

Tracking

(Depends on 2 bugs)

Trunk
mozilla69
Points:
---
Dependency tree / graph
Bug Flags:
qe-verify +

Firefox Tracking Flags

(firefox69 fixed)

Details

(Whiteboard: [passwords:generation] [skyline])

Attachments

(1 attachment, 3 obsolete attachments)

When we fill a newly generated password for a user, we should save it to persistent login storage if there are no saved logins for the site.

Rationale: Since we can only save one password per username on a site, if there are saved logins for the site we risk overwriting them when the user may still need them to enter their old password.

Flags: qe-verify+
Assignee: nobody → MattN+bmo
Status: NEW → ASSIGNED

I'm not removing them now since that will break Thunderbird.

A loose actionOrigin match is achieved using "" for the formSubmitURL whereas the option also includes HTTP auth logins with a null formSubmitURL.

Depends on D32607

Comment on attachment 9067248 [details]
Bug 1548857 - Make the 'aUsernameField' and 'aPasswordField' nsILoginInfo fields optional. r=sfoster

Revision D32426 was moved to bug 1555152. Setting attachment 9067248 [details] to obsolete.

Attachment #9067248 - Attachment is obsolete: true

Comment on attachment 9067590 [details]
Bug 1548857 - Rename looseActionOriginMatch to ignoreActionAndRealm to be more correct. r=sfoster

Revision D32608 was moved to bug 1555152. Setting attachment 9067590 [details] to obsolete.

Attachment #9067590 - Attachment is obsolete: true
Attachment #9067589 - Attachment is obsolete: true
Attachment #9067249 - Attachment description: Bug 1548857 - Save a generated login immediately if there are no saved logins for the site → Bug 1548857 - Save a generated login immediately if there are no saved logins for the site. r=sfoster
Pushed by mozilla@noorenberghe.ca:
https://hg.mozilla.org/integration/autoland/rev/8dcae2b6d89b
Save a generated login immediately if there are no saved logins for the site. r=sfoster
Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Hi Matthew,

I am having trouble verifying this issue, could you help me with some steps, maybe a website on which I could verify this?

Thank you!

Flags: needinfo?(MattN+bmo)

Yes, more info in bug 1548381. I am taking this to verify myself.

  • These are the steps I took to verify this implementation, case where no password is being saved for the site in question:
  1. Open browser with a new profile and change prefs in about:config :
    "signon.generation.enabled" is the user pref to enable/disable the feature from about:preferences (not implemented yet).
    "signon.generation.available" controls whether the feature is available for users (e.g. if the about:preferences UI should show).
  2. Restart browser (not sure if it's required, but I'm not taking any chances)
  3. Log into Yahoo (one of the sites where the feature works).
  4. On the door-hanger, choose "Don't save" the credentials.
  5. Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).
  6. Double click inside the "New Password" / "Confirm Password" fields;
  7. On the password manager's drop-down, select the generated password in both fields and change the password.
  8. Go to Preferences/Privacy and Security/Login and Passwords/Saved Logins...
    Notice that the generated password is saved inside the Saved Logins list (in the case of Yahoo, only the password is saved, not the username).
    In this case, the username will need to be added manually in the Saved Logins modal.
  • A more edgy case, where a password is already saved:
  1. Open browser with a new profile and change prefs in about:config :
    "signon.generation.enabled" is the user pref to enable/disable the feature from about:preferences (not implemented yet).
    "signon.generation.available" controls whether the feature is available for users (e.g. if the about:preferences UI should show).
  2. Restart browser (not sure if it's required, but I'm not taking any chances)
  3. Log into Yahoo (one of the sites where the feature works).
  4. On the door-hanger, choose to "Save" the credentials.
  5. Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).
  6. Double click inside the "New Password" / "Confirm Password" fields;
  7. On the password manager's drop-down, select the generated password in both fields and change the password.
    NOTICE that the Password Manager door-hanger appears and offers to save the generated password, but with no username.
  8. Go to Preferences/Privacy and Security/Login and Passwords/Saved Logins...
    Notice that the generated password is saved as a new credential, the username will need to be added manually in the Saved Logins modal.
  • An even more edgy case, where a generated password is already saved:
  1. Open browser with a new profile and change prefs in about:config :
    "signon.generation.enabled" is the user pref to enable/disable the feature from about:preferences (not implemented yet).
    "signon.generation.available" controls whether the feature is available for users (e.g. if the about:preferences UI should show).
  2. Restart browser (not sure if it's required, but I'm not taking any chances)
  3. Log into Yahoo (one of the sites where the feature works).
  4. On the door-hanger, choose to "Save" the credentials.
  5. Reach the page where the password can be changed (Account Info/ Account Security/ Change Password).
  6. Double click inside the "New Password" / "Confirm Password" fields;
    NOTICE that the generated password is the same it was last time the user used a generated password.
    NOTICE that the Password Manager door-hanger appears and offers to save the generated password, but with no username.
    I believe that this case will be fixed when a different password will be generated every time the user attempts to change his password.

Matt, How do you think we should proceed in this case? Which case is unacceptable?
Should I also test other sites in order to validate this issue? See bug 1548381 for top 10 sites that allow for the password generator feature to work. Thanks.

Whiteboard: [passwords:generation] [skyline]
You need to log in before you can comment on or make changes to this bug.