Open Bug 1640008 Opened 5 years ago Updated 5 years ago

The password manager trusts sites with mislabeled <input> `autocomplete` attributes

Categories

(Toolkit :: Password Manager, enhancement, P3)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement

Tracking

()

People

(Reporter: severin, Unassigned)

References

(Blocks 2 open bugs)

Details

Currently, we trust the autocomplete attribute of <input> fields, and do not run the Fathom model on fields autocomplete="new-password". However some websites use this value where it is inappropriate, either as a mistake or in an attempt to confuse or disable autofill. This can lead to weird behavior, such as offering a generated password on a login screen.

Possible solutions:

  • Evangelism: we can reach out to devs and ask them to change these labels. This sometimes works, but it's very time consuming and doesn't move the needle much.
  • Treat autocomplete as an input to our model, and run it everywhere. This seems to be what Chrome does. It could help some cases, but might also break places that currently work. It also ignores the specification, and does not leave devs with a way to fix sites that are misunderstood by the model.
  • Run the model everywhere, but only override the 'autocomplete' attribute if the confidence threshold is very high. This has the same benefits and problems as the above, but both are somewhat mitigated.
  • ????

Edit: s/autofill/autocomplete/ –MattN

Blocks: 1633271
Blocks: 1583445
Severity: -- → N/A
Priority: -- → P3
Summary: The password manager trusts sites with mislabeled <input> `autofill` attributes → The password manager trusts sites with mislabeled <input> `autocomplete` attributes
You need to log in before you can comment on or make changes to this bug.