Closed Bug 1575675 Opened 6 years ago Closed 6 years ago

Form History checkbox is hidden in Custom History settings

Categories

(Toolkit :: Preferences, defect)

Product:
Toolkit
Component:
Preferences
Version:
68 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: chrisw_63, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Tried to turn off username Autofill of forms,

Actual results:

Had to search help to find the setting.

Expected results:

Firefox touts it's commitment to user privacy and safety on the web. This is an IMPORTANT setting from that viewpoint. Form Autofill is a KNOWN attack vector for the theft of personally identifiable information from browsers. Since it defaults to ON, it should not be hidden so that choosing "Use custom settings for history", which is itself hidden in a dropdown (why? see below..) and extremely vague, is required to even SEE the setting.

Most of the important settings are arranged in an indented tree, and settings that are currently not available greyed out. THIS SHOULD BE THE SAME, so that everyone who sees it knows exactly what it does and how to change the Autofill setting.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Preferences

Matt, my understanding is that by default we do not autofill anything in a way a website could detect, but AFAICT we don't ship the address/CC autofill stuff to my locale so I don't know if those behave differently, can you confirm?

Component: Preferences → Form Autofill
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit

Let me clear up a bunch of confusion in this bug…

There are three form-filling-related features:

  • Form history of previously submitted text in individual fields (not passwords)
    • Data is only visible to the page once the user manually selected a row from the autocomplete popup
    • Disabled under the "Use custom settings for history" option since it's about history of what you previously submitted and is super low risk but high value
  • Password Manager
    • Usernames and passwords autofill by default if there is only one match.
    • Autofilling of saved logins can be disabled with the "Autofill logins and passwords" checkbox in the Saved Logins list (moving to about:preferences#privacy-logins in Fx 69). You can also disable the whole password manager. (not hidden behind "Use custom settings for history")
  • Form autofill (currently only shipping with addresses in en-US+US geo. and fills in a whole address at once in multiple fields)
    • Data is only visible to the page once the user manually selected a row from the autocomplete popup
    • Disable at about:preferences#privacy-form-autofill (not hidden behind "Use custom settings for history")

It seems like you are confusing form history checkboxes with some form of autofill which I guess is login autofill? I think you will see from the above that the preference to deal with the theft issue isn't buried behind "Use custom settings for history". Could you clarify if you have any remaining concerns or whether we can close this bug?

Flags: needinfo?(MattN+bmo) → needinfo?(chrisw_63)

Quote: "Disable at about:preferences#privacy-form-autofill (not hidden behind "Use custom settings for history")"

Go to that link you gave. Select anything other than "Use custom settings for history". What happens? All the below choices disappear. They don't gray out. They aren't just unslected. They are gone. Hence my use of the word "hidden".

As for forms data being subsumed by the 'history' paradigm.. Is your personal medical data just forms history? How about your Social Security Number? Usernames may not seem that important by themselves, but they are a starting point. If I spoofed an email from a website that had your correct username on it, how much more convincing would it be? It's also a lot easier to break security when you have a known username. Do modern logins tell you your password is wrong? They used to! Now they say something like, "Invalid Username or password." Why? Because the username is a vector. If we consider the current data on password use, the majority of them are easily brute-forced in minutes. But you need a valid username to even begin.

As for the data only being available to the page after selection, that is something I didn' t know. Does that mean the selection itself isn't scriptable? Still, this setting should be more visible.

Even if you look at this from a UX standpoint, it's incongruous. As I said earlier, most of the other items in settings, if they are made irrelevant by a prior setting, are just grayed out. Why does this one disappear?

(In reply to Chris W from comment #4)

Quote: "Disable at about:preferences#privacy-form-autofill (not hidden behind "Use custom settings for history")"

Go to that link you gave.

If you go to that link in an en-US build in the US you will see checkboxes for Form Autofill. What you're talking about below is not what I'm talking about.

Select anything other than "Use custom settings for history". What happens? All the below choices disappear. They don't gray out. They aren't just unslected. They are gone. Hence my use of the word "hidden".

It's very hard to follow what you're talking about since you're conflating the 3 different features I listed.

As for forms data being subsumed by the 'history' paradigm.. Is your personal medical data just forms history? How about your Social Security Number? Usernames may not seem that important by themselves, but they are a starting point. If I spoofed an email from a website that had your correct username on it, how much more convincing would it be? It's also a lot easier to break security when you have a known username. Do modern logins tell you your password is wrong? They used to! Now they say something like, "Invalid Username or password." Why? Because the username is a vector. If we consider the current data on password use, the majority of them are easily brute-forced in minutes. But you need a valid username to even begin.

I honestly don't understand what point you're trying to make given that I said that the site can't access non-login data without your interaction with the popup. When dealing with social security numbers or medical information I would strongly recommend using private browsing if you don't want traces left on your computer, that's what I do and that's what the feature is for. Saving of new form history is disabled in private windows.

As for the data only being available to the page after selection, that is something I didn' t know. Does that mean the selection itself isn't scriptable? Still, this setting should be more visible.

Correct, the popup isn't even in the same process as the web content, it's created in the Firefox parent process whereas web content is in a separate process. The only way a site can get access to a single option in the popup is if you as a user select it.

Even if you look at this from a UX standpoint, it's incongruous. As I said earlier, most of the other items in settings, if they are made irrelevant by a prior setting, are just grayed out. Why does this one disappear?

If I understand correctly, your main point is that when "Remember History" is chosen in the dropdown, the "Remember search and form history" checkbox is hidden behind text that says "Firefox will remember your browsing, download, form, and search history." but that isn't a checkbox?

We don't have any plans to change that as there is no easy attack vector related to this checkbox like you claim in comment 0. The only attacks require a user's interaction and therefore tricking the user.

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Component: Form Autofill → Preferences
Flags: needinfo?(chrisw_63)
Resolution: --- → WONTFIX
Summary: Form Fill Setting hidden in Custom History Settings → Form History checkbox is hidden in Custom History settings
You need to log in before you can comment on or make changes to this bug.