HTTP auth credentials should show httpRealm in about:logins and autocomplete
Categories
(Firefox :: about:logins, defect, P1)
Tracking
()
People
(Reporter: markus.kell.r, Assigned: MattN)
Details
(Whiteboard: [passwords:management] [skyline])
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
In Firefox 68.0.1, opened an internal website that is secured by:
1.) HTTP basic authentication:
.htaccess file with:
AuthType basic
AuthName "Secured area"
AuthUserFile /path/to/file
Require valid-user
2.) A login form with user / password fields
Actual results:
- "Authentication Required" dialog is shown, prefilled with saved user/password (as expected)
- Login form is shown, user field focused, popup list offering two saved logins:
a) my real user name
b) the HTTP auth user name
Expected results:
Popup list should only offer saved login for the login form (2.a), but not the HTTP auth user name (2.b).
In the password manager, the HTTP auth entry is rendered as Site: "https://***.***.com (Secured area)". In the autofill popup, the "(Secured area)" is also missing, making that entry even more confusing.
This used to work as expected in Firefox 67. I'm not sure if it got broken in 68.0.0 or 68.0.1.
Comment 1•5 years ago
•
|
||
Seems that creating a test case for this particular scenario is a bit complicated for me and it eats a bit of time that I currently don't have.
Markus, could you perhaps be available to help narrowing down a regression range? You can do this by identifying a good version in which this worked properly - from comment 0 seems that would be 67 then run mozregression1 like this: mozregression --good 67 --bad 69 . Same approach with mozregression GUI version.
Mozregression will download and start builds for you to test given that you have access to the testcase.
Assignee | ||
Comment 2•5 years ago
|
||
It's intentional that we now include HTTP auth results in autocomplete but it's not intentional that you can't differentiate between HTTP auth and form logins. We will add the realm the UI for both the new management UI and autocomplete using a shared helper.
Assignee | ||
Updated•5 years ago
|
Comment 3•5 years ago
|
||
It would help having a test page for this scenario. Matt, do you perhaps have one @ ready?
Assignee | ||
Comment 4•5 years ago
|
||
https://httpbin.org/basic-auth/user/password is a test page for HTTP auth but you would need to have a form login on the same site and I don't know of a site that has both off-hand.
Reporter | ||
Comment 5•5 years ago
|
||
Sorry for the late response.
Here's a totally insecure test page:
http://home.datacomm.ch/keller.markus/secured/login.html
First stage (HTTP auth) uses credentials usr/pwd
Second stage (login.html) accepts anything you enter.
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #2)
It's intentional that we now include HTTP auth results in autocomplete but it's not intentional that you can't differentiate between HTTP auth and form logins. We will add the realm the UI for both the new management UI and autocomplete using a shared helper.
Identifying the inapplicable login is better than nothing, but I don't see why it would make sense to show a saved login in a context where it is certainly not applicable.
Assignee | ||
Comment 6•5 years ago
|
||
(In reply to Markus Keller from comment #5)
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #2)
It's intentional that we now include HTTP auth results in autocomplete but it's not intentional that you can't differentiate between HTTP auth and form logins. We will add the realm the UI for both the new management UI and autocomplete using a shared helper.
Identifying the inapplicable login is better than nothing, but I don't see why it would make sense to show a saved login in a context where it is certainly not applicable.
The reason is because sites change. I know of applications (one of the biggest payroll providers in the U.S.) that have switched from HTTP auth to form auth (sometimes varying based upon the login URL used) and having convenient access to your relevant logins is something we are trying to improve the last while.
Reporter | ||
Comment 7•5 years ago
|
||
The reason is because sites change.
Fair enough. However, those additional logins should only be shown as secondary items in the autocompletion popup, after the real matches. And they should not block autofill.
My real-life scenario adapted to comment 5:
- httpauth works fine (usr/pwd is pre-filled)
- HTML form has saved username zzz
In the past, the HTML form on the login page was already filled with zzz and the saved password.
Now, the HTML form is not pre-filled any more, and I have to remember that I have to select the second entry in the autocomplete popup. That's too much work for something that used to go smoothly before.
Assignee | ||
Comment 8•5 years ago
|
||
Hmm… I'll try fix that as I thought it was supposed to work that way.
Assignee | ||
Comment 9•5 years ago
|
||
Assignee | ||
Comment 10•5 years ago
|
||
Depends on D43168
Assignee | ||
Comment 11•5 years ago
|
||
(In reply to Markus Keller from comment #7)
The reason is because sites change.
Fair enough. However, those additional logins should only be shown as secondary items in the autocompletion popup, after the real matches. And they should not block autofill.
My real-life scenario adapted to comment 5:
- httpauth works fine (usr/pwd is pre-filled)
- HTML form has saved username zzz
In the past, the HTML form on the login page was already filled with zzz and the saved password.
Now, the HTML form is not pre-filled any more, and I have to remember that I have to select the second entry in the autocomplete popup. That's too much work for something that used to go smoothly before.
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #8)
Hmm… I'll try fix that as I thought it was supposed to work that way.
I cannot reproduce this issue. Can you file a separate bug and include password manager debug logging?
Assignee | ||
Comment 12•5 years ago
|
||
Depends on D43169
Comment 13•5 years ago
|
||
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/autoland/rev/980221f42586 Use FxAccountsCommon.FXA_PWDMGR_* constants in AboutProtectionsHandler. r=jaws https://hg.mozilla.org/integration/autoland/rev/7e2df056a778 Show HTTP Auth realm in about:logins and autocomplete. r=jaws https://hg.mozilla.org/integration/autoland/rev/a8dc5f13dfcf Add unit tests for isOriginMatching with null/javascript: origins. r=jaws
Comment 14•5 years ago
|
||
Backed out 3 changesets (Bug 1569581) for mass browser-chrome failures CLOSED TREE
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception&revision=a8dc5f13dfcf8f6b54401818e1921803c427a029&selectedJob=263232963
Failure log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263234635&repo=autoland&lineNumber=5422
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263234628&repo=autoland&lineNumber=7183
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263232963&repo=autoland&lineNumber=19362
There is also a TV failure so far: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263234566&repo=autoland&lineNumber=1794
Backout: https://hg.mozilla.org/integration/autoland/rev/76269370e3a06a543fcb2f63d08ce38ad03aaadc
Assignee | ||
Updated•5 years ago
|
Comment 15•5 years ago
|
||
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/autoland/rev/88a9bc458456 Use FxAccountsCommon.FXA_PWDMGR_* constants in AboutProtectionsHandler. r=jaws https://hg.mozilla.org/integration/autoland/rev/2a66b79c7085 Show HTTP Auth realm in about:logins and autocomplete. r=jaws https://hg.mozilla.org/integration/autoland/rev/9c3b3043ddc7 Add unit tests for isOriginMatching with null/javascript: origins. r=jaws
Comment 16•5 years ago
|
||
Backed out 3 changesets (bug 1569581) for ESLint failure at browser/components/about/AboutProtectionsHandler.jsm
Backout: https://hg.mozilla.org/integration/autoland/rev/6ecde9adcfebd7e2ce1738a37d54d3e1a49e1eaf
Failure push: https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=9c3b3043ddc79db2b924e6db997a1425258df01f
Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=263246887&repo=autoland&lineNumber=223
Assignee | ||
Updated•5 years ago
|
Comment 17•5 years ago
|
||
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/autoland/rev/6652880b0c8a Use FxAccountsCommon.FXA_PWDMGR_* constants in AboutProtectionsHandler. r=jaws https://hg.mozilla.org/integration/autoland/rev/f33e5bdffd68 Show HTTP Auth realm in about:logins and autocomplete. r=jaws https://hg.mozilla.org/integration/autoland/rev/d94f2a6d5771 Add unit tests for isOriginMatching with null/javascript: origins. r=jaws
Comment 18•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/6652880b0c8a
https://hg.mozilla.org/mozilla-central/rev/f33e5bdffd68
https://hg.mozilla.org/mozilla-central/rev/d94f2a6d5771
Comment 19•5 years ago
|
||
In order to verify this, QA still needs a testcase for this scenario. I guess one way to go at it would be to ask Markus to check the behavior after the fixed landed: Markus, could you please find time to check what the behavior is now on beta70?
I also would like to have a reduced testcase for this scenario: MattN, anything you can think of that can be cooked up without time invested in setup.
Reporter | ||
Comment 20•5 years ago
|
||
Steps to reproduce in Firefox 69.0:
- new profile, all defaults, no passwords stored for home.datacomm.ch
- go to http://home.datacomm.ch/keller.markus/secured/login.html
-> dialog "Authentication Required" shows up - enter User name: "usr", Password: "pwd", press Enter
-> dialog asks to save login - click Save
- enter Username: "zzz", Password: "pazz", press Enter
-> dialog asks to save login - click Save
- go to http://home.datacomm.ch/keller.markus/secured/login.html again (e.g. Cmd/Ctrl+L, Enter). Don't use browser history, refresh, or link to go back.
-> page is shown without login credentials pre-filled
-> expected: zzz and pazz should be pre-filled - click into the Username input field
-> 2 logins "usr" and "zzz" are presented
-> expected: "zzz" should be first. "usr" should tell that it's from another context, e.g. by appending " (Secured area (hint: usr/pwd))" as in the "Saved Logins" dialog
I'll try to find some time to test 70-nightly later.
Reporter | ||
Comment 21•5 years ago
|
||
- go to http://home.datacomm.ch/keller.markus/secured/login.html again (e.g. Cmd/Ctrl+L, Enter). Don't use browser history, refresh, or link to go back.
I've fixed the success.html page, so you can now click the "Login again" link there, which takes you back to http://home.datacomm.ch/keller.markus/secured/login.html
Reporter | ||
Comment 22•5 years ago
|
||
Testing on a Mac:
Firefox beta 70.0b3 has only improved the sorting in the auto-completion drop-down (step 8 from comment 20).
Still no
a) pre-fill of the form input field
b) rendering of the auth realm in the auto-completion drop-down
Firefox Nightly 71.0a1 has fixed b), but the realm name is severely cut everywhere:
- in the drop-down, it shows:
home.datacomm.com (Secured... - when I click "View Saved Logins", the new Lockwise page opens, where the list on the left shows a few more characters:
home.datacomm.com (Secured are... - when I click the entry in the list, the title on the right reads:
home.datacomm.ch (Secured area (hint: ... - when I click "Edit", it shows:
home.datacomm.ch (Secured area (hint: usr/p ...
The only way I found to reveal the whole text is to triple-click the title and copy. Then the clipboard contains the full:
home.datacomm.ch (Secured area (hint: usr/pwd))
Comment 23•5 years ago
|
||
Thanks Markus for providing the detailed steps and testcase! I've check out both latest Nightly 71 and Beta 70 and got the following results:
Nightly 71:
(In reply to Markus Keller from comment #20)
- go to http://home.datacomm.ch/keller.markus/secured/login.html again (e.g. Cmd/Ctrl+L, Enter). Don't use browser history, refresh, or link to go back.
-> page is shown without login credentials pre-filled
-> expected: zzz and pazz should be pre-filled- click into the Username input field
-> 2 logins "usr" and "zzz" are presented
-> expected: "zzz" should be first. "usr" should tell that it's from another context, e.g. by appending " (Secured area (hint: usr/pwd))" as in the "Saved Logins" dialog
- The fields are NOT pre-filled with "zzz" and "pazz" <- Fails expected result
- "zzz" is displayed first in the dropdown and "usr" has the (Secured area (hint: usr/pwd)) mention, check attached file. <- Passed expected result
Beta 70.0b3:
- The fields are NOT pre-filled with "zzz" and "pazz" <- Failed
- "zzz" is displayed as first but the saved credentials don't have their origin displayed in the dropdown <- Failed
Secure entry in about:logins will have the "(Secured area (hint: usr/pwd))" in the entry title
If you test it again, let us know if there are different results or any other notes. Meanwhile, leaving the NI? for Matt to check the results.
Comment 24•5 years ago
|
||
Guess we worked on this in the same time ¯_(ツ)_/¯
I also agree with the notice about the cut realm name.
Attaching picture for results.
Assignee | ||
Comment 25•5 years ago
|
||
Oh yes, I only fixed showing the domain in the autocomplete popup when subdomain support was enabled and that's only enabled on Nightly so that's why Beta 70 still doesn't show the realm. I guess we need a new bug for fixing this in non-Nightly.
We don't automatically fill login fields over http: so the test cases are not valid for testing that. If you enable the debug logging you will see this:
LoginManagerContent: not filling form since it's insecure
If you test with https: you will get the expected result in Nightly:
- new profile, all defaults, no passwords stored for *.mattn.ca
- go to https://bugs.mattn.ca/pwmgr/basic-auth/
-> dialog "Authentication Required" shows up - enter User name: "user", Password: "password", press Enter
-> dialog asks to save login - click Save
- Load https://bugs.mattn.ca/pwmgr/login_and_change_form.html
- In registration form enter Username: "zzz", Password: "pazz", press Enter
-> dialog asks to save login - click Save
- go to https://bugs.mattn.ca/pwmgr/login_and_change_form.html again (e.g. Cmd/Ctrl+L, Enter). Don't use browser history, refresh, or link to go back.
-> page is shown WITH form login credentials pre-filled into the login forms (not registration) - click into the Username input field
-> 2 logins "user" and "zzz" are presented
-> expected: "zzz" should be first. "user" should tell that it's from another context, e.g. by appending " (Basic Auth)" as in the "Saved Logins" dialog
Reporter | ||
Comment 26•5 years ago
|
||
(In reply to Timea Babos from comment #24)
I also agree with the notice about the cut realm name.
Filed follow-up bug 1579738 for that.
Comment 27•5 years ago
|
||
Thanks for the answer Matt, re-checked it on latest Nightly and Beta using the steps and testcases from your comment and it works fine.
Do you need a bug submitted for enabling the subdomain in the autocomplete pop-up for non-Nightly builds?
Closing this as Verified - fixed on latest Beta 70.0b4 (64-bit), the follow-up bugs will be handled separately.
Assignee | ||
Comment 28•5 years ago
|
||
(In reply to Timea Babos from comment #27)
Thanks for the answer Matt, re-checked it on latest Nightly and Beta using the steps and testcases from your comment and it works fine.
Thanks
Do you need a bug submitted for enabling the subdomain in the autocomplete pop-up for non-Nightly builds?
No, that is bug 1563330.
Updated•5 years ago
|
Description
•