Save doorhanger on form submit is not displayed for fields where new credentials were filled in after deleting autofilled ones
Categories
(Toolkit :: Password Manager, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox74 | --- | unaffected |
firefox75 | --- | disabled |
firefox76 | --- | verified |
firefox77 | --- | verified |
People
(Reporter: tbabos, Assigned: sfoster)
References
(Regression)
Details
(Keywords: regression)
Attachments
(4 files)
180.15 KB,
video/mp4
|
Details | |
28.77 KB,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
(rebased for beta) Bug 1627658 - Avoid login capture until user interacts with the document. r?MattN
18.18 KB,
text/plain
|
RyanVM
:
approval-mozilla-beta+
|
Details |
Affected Versions
Nightly 76.0a1 (2020-04-05)
Tested on
Windows 10 x64
Steps to reproduce
- Have 1 set of credentials saved on facebook.com
- Load the Log in Form (ensure credentials are autofilled)
- Delete the autofilled credentials and type in new ones (observe the grey key icon)
- Click on Log In
Expected
The save doorhanger should be displayed on form submit (replaces the dismissed one)
Actual
Save doorhanger on form submit is not displayed, the grey key for the dismissed doorhanger remains displayed
Regression-Range
Introduced via the implementation of Dismissed Doorhanger, Bug 1536728.
Note
Beta 75 has the pref disabled for the dismiss doorhanger.
Reporter | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 2•4 years ago
|
||
Confirmed, I see this in the log (and when I reproduced locally)
_compareAndUpdatePreviouslySentValues: values are equivalent, returning true
...which would prevent the parent process from knowing about and handling the form submission and showing the capture UI. I'll need to dig deeper to see what is going on, and how bug 1536728 might have regressed this.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
I think what's going on here is that
- facebook is using pushState onload, we are treating that as navigation and as the login form has been autofilled and the username and password have values, we end up treating this as an actual submit - populating our
lastSubmittedValuesByRootElement
cache with the autofilled values, with thedismissed
value offalse
. The parent process ends up ignoring this message as the username and password values match the existing saved login which we autofilled. - Later, when you clear and put new values in the username and password fields, the change event goes down the same code path. We have logic in
_compareAndUpdatePreviouslySentValues
which causes the previous value of dismissed to override the current value. The cache is updated with the new values and the message gets sent to the parent process. LoginManagerParent ignores thedismissed:false
property as this is aonPasswordEditedOrGenerated
event for which all doorhangers will be dismissed, so we get the expected result at this point. - When you click submit to login, we go back down the same code path. But the exact same message was already sent - same username, password and dismissed value, so it is ignored and the parent process never hears about it; no doorhanger is created.
Comment 4•4 years ago
|
||
(In reply to Sam Foster [:sfoster] (he/him) from comment #3)
I think what's going on here is that
- facebook is using pushState onload, we are treating that as navigation and as the login form has been autofilled and the username and password have values, we end up treating this as an actual submit - populating our
lastSubmittedValuesByRootElement
cache with the autofilled values, with thedismissed
value offalse
.
Maybe we can add a check for form.document.userHasInteracted
at the top of _formHasModifiedFields
?
Comment 5•4 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Comment 6•4 years ago
|
||
:sfoster, since this bug is a regression, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 7•4 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #6)
:sfoster, since this bug is a regression, could you fill (if possible) the regressed_by field?
This bug comes out of bug 1603226 (which enables behavior added in bug 1388674), and bug 1536728. If it was necessary to back something out to undo the regression, I guess 1603226 would be the best bet - so I've got the regressed_by field pointing at that. I have a working patch that should be able to be uplifted to fix this however.
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
|
||
Pushed by sfoster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/030ff13c60d1 Avoid login capture until user interacts with the document. r=MattN
Comment 10•4 years ago
|
||
Backed out changeset 030ff13c60d1 (Bug 1627658) for windows mochitest failures in browser/tools/mozscreenshots/permissionPrompts/browser_permissionPrompts.js
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=297310941&repo=autoland&lineNumber=2271
Comment 11•4 years ago
|
||
Backout by shindli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/da2b1829e1fd Backed out changeset 030ff13c60d1 for windows mochitest failures in browser/tools/mozscreenshots/permissionPrompts/browser_permissionPrompts.js
Assignee | ||
Comment 12•4 years ago
|
||
thanks, I've broken this test before, I always forget about it :/
Comment 13•4 years ago
|
||
Pushed by sfoster@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f1d1fe7d1a84 Avoid login capture until user interacts with the document. r=MattN
Comment 14•4 years ago
|
||
bugherder |
Reporter | ||
Comment 15•4 years ago
|
||
Verified-fixed on Nightly 77.0a1 (2020-04-15) (Build ID: 20200415040917) - from Treeherder
Verified on Windows 10, MacOS 10.13 and Ubuntu 18.04.
Also submitted follow-up Bug 1630191 for the "Show password" toggle, more info in that bug.
Assignee | ||
Comment 16•4 years ago
|
||
Comment on attachment 9139354 [details]
Bug 1627658 - Avoid login capture until user interacts with the document. r?MattN
Beta/Release Uplift Approval Request
- User impact if declined: No prompt to save/update password when logging into e.g. facebook.com with changed credentials
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: (see comment #0)
- Have 1 set of credentials saved on facebook.com
- Load the Log in Form (ensure credentials are autofilled)
- Delete the autofilled credentials and type in new ones (observe the grey key icon)
- Click on Log In
Expected
The save doorhanger should be displayed on form submit (replaces the dismissed one)
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change to existing logic in the password manager code.
- String changes made/needed: None
Assignee | ||
Updated•4 years ago
|
Comment 17•4 years ago
|
||
Comment on attachment 9139354 [details]
Bug 1627658 - Avoid login capture until user interacts with the document. r?MattN
This has conflicts with Beta. Please attach a rebased patch or request approval on any other dependent bugs.
Assignee | ||
Comment 18•4 years ago
|
||
Beta/Release Uplift Approval Request
- User impact if declined: No prompt to save/update password when logging into e.g. facebook.com with changed credentials
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: (see comment #0)
- Have 1 set of credentials saved on facebook.com
- Load the Log in Form (ensure credentials are autofilled)
- Delete the autofilled credentials and type in new ones (observe the grey key icon)
- Click on Log In
- Expected
- The save doorhanger should be displayed on form submit (replaces the dismissed one)
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Small change to existing logic in the password manager code.
- String changes made/needed: None
Updated•4 years ago
|
Comment 19•4 years ago
|
||
Comment on attachment 9140907 [details] (rebased for beta) Bug 1627658 - Avoid login capture until user interacts with the document. r?MattN Approved for 76.0b6.
Comment 20•4 years ago
|
||
bugherder uplift |
Updated•4 years ago
|
Reporter | ||
Comment 21•4 years ago
|
||
Verified fixed on Windows 10 x64, MacOS 10.13 and Ubuntu 16.04 on latest Beta 76.0b6.
Description
•