Closed Bug 1639737 Opened 4 years ago Closed 4 years ago

Password manager doesn't offer to autofill logins on ShopRunner affiliated sites

Categories

(Toolkit :: Password Manager: Site Compatibility, enhancement)

Product:
Toolkit
Component:
Password Manager: Site Compatibility
Type:
enhancement

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox78 --- wontfix

People

(Reporter: yoasif, Unassigned)

References

Details

Attachments

(1 file)

Screen Recording 2020-05-20 at 6.59.21 PM.webm
1.96 MB, video/webm
Details

Steps to reproduce:

  1. Navigate to https://www.brooksbrothers.com/Face-Masks/MU00250,default,pd.html
  2. Click on "SIGN IN" near the ShopRunner logo and text "free 2-day shipping"

What happens:

I do not get offered to be logged in via ShopRunner (I have the login saved).

Expected result:

Ideally, Firefox would detect that this site is using ShopRunner and I would be offered that login.

ShopRunner offers free shipping on hundreds of sites but is not the first party vendor; it is a third party: https://www.shoprunner.com/stores/

Type: defect → enhancement
See Also: → 1639738
See Also: 1639738

Thank you for taking the time to file this bug.

Upon investigation, it appears that the ShopRunner login form referenced in the STR is markup that is injected into the BrooksBrothers.com origin document. This mixing of credentials from one origin to another is a security anti-pattern. Ideally, ShopRunner's login form would be loaded into a ShopRunner.com origin document (e.g. in an iframe). If that were the case, then the Password Manager would work as you expect.

Given that, I will mark this bug as a WONTFIX.

That said, if ShopRunner and BrooksBrothers are the same entity, then it is possible we could make a realms recipe for this (see Bug 1120684), but as some of the comments in that bug explain, there are very high maintenance costs for this approach and security risks if maintenance falls short.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX

Upon investigation, it appears that the ShopRunner login form referenced in the STR is markup that is injected into the BrooksBrothers.com origin document. This mixing of credentials from one origin to another is a security anti-pattern. Ideally, ShopRunner's login form would be loaded into a ShopRunner.com origin document (e.g. in an iframe). If that were the case, then the Password Manager would work as you expect.

I agree that it is an anti-pattern - is there something that Mozilla could do to educate ShopRunner on the fact that their partners are doing this (to increase overall security on the web)?

Ideally, this would work, and if it is part social/part technical challenge, it would be cool if Firefox could help drive that. :)

That's a great question. Certainly Mozilla has developer evangelists and a web compatibility team, though this doesn’t really fall into their purview. In general, our ability to reach out to individual sites (given the vastness of the web) is very limited.

I was trying to find a good resource on this, but the closest I could find is pretty focused on implementation details for a different cross-origin scenario: Same Origin Policy.

While there is an elevated risk for the user, it seems reasonable that if/when we implement realm support, we could provide a way for users to add their own realms if they would like to associate a login with multiple domains (Bug 1120684 mentioned above).

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: