Open Bug 1629892 Opened 1 year ago Updated 1 year ago

[false positive] Password generation is offered for the Login password field on bitribe.com

Categories

(Toolkit :: Password Manager: Site Compatibility, defect, P3)

Desktop
All
defect

Tracking

()

Tracking Status
firefox75 --- disabled
firefox76 --- affected
firefox77 --- affected

People

(Reporter: tbabos, Unassigned)

References

(Blocks 1 open bug, )

Details

(Whiteboard: [passwords:generation])

Affected Versions:
Nightly 77.0a1 (2020-04-14) (64-bit)
Beta 76.0b4

Affected Platforms:
Windows 7/10 x64
MacOS 10.14
Ubuntu 18.04

Steps to reproduce:

  1. Go to bitribe.com and reach the Login form
  2. Click on the password field

Expected Result:
The autocomplete dropdown should not display the Password Generation option

Actual Result:
Password Generation was offered for the password field

Regression-Range:
Not a regression of the new implementation, it also happens on Beta 75 and seems like site issue given it has the autocomplete=new-password attribute for this field

Notes:
Password field:
<input placeholder="Enter the password" type="password" autocomplete="new-password" value="">

Whiteboard: [passwords:generation]

Thanks Timea for filing this issue; I have reproduced it, and interestingly, the password field on the login page is using autocomplete="new-password" as Timea noted.

Similarly, QA also found (and I verified) a false positive on the password change form for this site which also uses autocomplete="new-password" on the "Old Password" field there. Note: to reproduce, you will need a burner e-mail account to sign up for the site, then login and then navigate to the password change form.

This means, on both of these pages, the site is using the semantic HTML markup to indicate the field is a new password field (autocomplete="new-password"), even though the field is not a new password field.

This is not a bug with the new password model from Bug 1595244 (and its update in Bug 1625601), which only runs when the autocomplete attribute does not have a value of "new-password", nor is this a bug with the Password Manager's logic, which displays the password generation option in the autocomplete popup when autocomplete="new-password". This is a web compatibility issue for the site.

I filed a webcompat issue.

Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.