Open Bug 1590411 Opened 2 years ago Updated 2 years ago

Filling generated password (from subdomain) using a domain username will create new saved login

Categories

(Toolkit :: Password Manager, enhancement, P3)

enhancement

Tracking

()

Tracking Status
firefox-esr60 --- unaffected
firefox69 --- disabled
firefox70 --- unaffected
firefox71 --- wontfix
firefox72 --- fix-optional

People

(Reporter: aflorinescu, Unassigned)

References

(Depends on 1 open bug)

Details

(Whiteboard: [passwords:generation])

[Description:]

There are quite a few flows that end up in this same situation: an existing username needs updating, hence the expectancy + door-hanger would suggest that the existing entry gets updated, not a new entry created for the domain/sub-domain.

[Envinronment:]

Windows 10, Ubuntu 16.04
71.0b3 20191021164841
72.0a1 20191021215155

[Steps:]
  1. Open Firefox - new profile.
  2. Access facebook.com
  3. Input and Save a bogus u/p.
  4. Access ro-ro.facebook.com
  5. Input and Save a different bogus u/p.
  6. Open a new tab, open either of the above (domain/subdomain)
  7. Use autocomplete to fill in the username from the domain/subdomain.
  8. Use Generate secure password.
  9. Use door-hanger to "update" the credentials
[Actual Result:]

A new entry is saved - username/generated password.
log: https://pastebin.com/Gz4MAkAd

[Expected Result:]

Adding sub-domains capability for the autocomplete and given the fact that the password generation is done on principal (hence all subdomains will generate a distinct secure password), I feel that the expected result would be that we'd merge for this case.

[Note:]

A point we noted was that given subdomain and etld+1 support, we'd want to avoid introducing "duplicate" entries.

Summary: Using generate secure password (from subdomain) using a domain entry will create new set of credentials → Using generate secure password (from subdomain) using a domain username will create new set of credentials

This depends on bug 1559631 though it should already work properly if you don't use generation I think.

Blocks: 589628
Depends on: 1559631
Summary: Using generate secure password (from subdomain) using a domain username will create new set of credentials → Filling generated password (from subdomain) using a domain username will create new saved login

We discussed this for a long time in our team meeting and we don't have any reasonable solutions for the moment but we also don't consider it a blocker for shipping subdomain support.

You need to log in before you can comment on or make changes to this bug.