Closed Bug 1607131 Opened 5 years ago Closed 4 years ago

Add a pref to disallow "insertReplacementText" cancellation for autocomplete, autofill and password manager

Categories

(Core :: DOM: Events, enhancement, P3)

Product:
Core
Component:
DOM: Events
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
84 Branch
Tracking Flags:
Tracking Status
firefox84 --- fixed

People

(Reporter: masayuki, Assigned: masayuki)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1607131 - Make `beforeinput` event for `MozEditableElement.setUserInput()` not cancelable by default r=smaug!
47 bytes, text/x-phabricator-request
Details | Review

MattN said:

I'm not sure this is the desired outcome as sites will abuse this to prevent the browser from autofilling their password or other form autofill info. We already see sites preventing paste in password fields (Paypal was one example). I think we should consider making our internal callers not cancelable or at least see how the other browsers handle this.

I agree with this, and IIRC, I chatted about this issue (disabling password manager, etc, with beforeinput event newly) in a spec issue (I don't remember where it is).

Perhaps, we should firstly implement a pref to make such beforeinput event not cancelable. Then, if such web apps break our users' UX, we should consider whether it's enabled by default or not.

No longer blocks: 1609291

smaug:

If we don't allow web apps to cancel beforeinput only in specific case, which way do you like better?

  • Make the beforeinput event not cancelable
  • Stop dispatching beforeinput event in that case

Currently, I'm thinking that the former is better because:

  • beforeinput event is not always cancelable
  • beforeinput event may be used for other purpose than canceling default action (e.g., updating some state of the web app)

But I'd like your thought before writing the patch.

Flags: needinfo?(bugs)

What do other browsers do here? Webcompat is rather important aspect.

Flags: needinfo?(bugs)

(In reply to Olli Pettay [:smaug] from comment #2)

What do other browsers do here? Webcompat is rather important aspect.

Unfortunately, both Chrome and Safari do no fire beforeinput event for autocomplete/password manager...
I filed Chromium's bug, but not yet of Safari.
https://bugs.chromium.org/p/chromium/issues/detail?id=1051844

Flags: needinfo?(bugs)

I mean they have a bug that they do not fire beforeinput event for their form auto filling, but it's invalid. See "insertReplacementText" value declaration of Input Events.

Assignee: nobody → masayuki
Status: NEW → ASSIGNED

Blink and WebKit do not fire beforeinput event when user uses build-in
password manager and autocomplete. But the inputType value for this case,
"insertReplacementText" is defined as cancelable in the spec, and it's
actually cancelable when it's fired for correcting a word with built-in
spellchecker of them.

For making only our users' autocomplete and password manager not blocked by
web apps, we should make them not cancelable by default, but I think that we
should keep dispatching such non-cancelable beforeinput for conforming to
the standard unless we'd get a web-compat report for this.

Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/378c661f45e4 Make `beforeinput` event for `MozEditableElement.setUserInput()` not cancelable by default r=smaug

https://hg.mozilla.org/mozilla-central/rev/378c661f45e4

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox84: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Flags: needinfo?(bugs)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: