1650961 - Restrict the clickjacking delay to credit card fields

Status: VERIFIED FIXED

(Toolkit :: Form Autofill, defect, P2)

Description

[Jim Mathies [:jimm]]

The delay we implemented currently applies to all form field drop downs, including username and password drop downs. We should restrict this just to credit cards.

Comment 1

[Jim Mathies [:jimm]]

Also, looks like we'll need an uplift to 79 with the fix.

Comment 2

[Zibi Braniecki [:zbraniecki][:gandalf]]

Attachment: Bug 1650961 - Restrict the clickjacking delay to credit card fields. r?abr

Comment 3

[Pulsebot]

Pushed by zbraniecki@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/deedf7ed7bc2
Restrict the clickjacking delay to credit card fields. r=abr

Comment 4

[Atila Butkovits]

Backed outfor multiple failures.

Backout link: https://hg.mozilla.org/integration/autoland/rev/4b8e1a1e4fdff7836f62f642c10d9dcfda01ed14

Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedTaskRun=Hax90a-GQ7CTbrRkEgn8oQ.0&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunning%2Cpending%2Crunnable&revision=deedf7ed7bc299e0ecccfe23daeb8d3c288cd744&searchStr=tv

Failure log 1: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309202305&repo=autoland&lineNumber=1366

Failure log 2: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=309202308&repo=autoland&lineNumber=19170

Comment 5

[Zibi Braniecki [:zbraniecki][:gandalf]]

I don't understand the failure nor can I reproduce it locally.

I fired a full try build - https://treeherder.mozilla.org/#/jobs?repo=try&revision=6e0e5252ccb97a570ee6095591eaf595275af77a

Comment 6

[Pulsebot]

Pushed by zbraniecki@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3a9cc2dab8ec
Restrict the clickjacking delay to credit card fields. r=abr

Comment 7

[Atila Butkovits]

https://hg.mozilla.org/mozilla-central/rev/3a9cc2dab8ec

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Does this need a Beta approval request or can it ride the Fx80 train to release?

Comment 9

[Zibi Braniecki [:zbraniecki][:gandalf]]

ride fx80 is enough.

Comment 10

[Timea Cernea [:tbabos][inactive]]

I also pinged you Zibi on riot about this but writing it down here to inform relman too about it. We should uplift this to Beta 79, otherwise we will have password manager ride to Release 79 with that delay, of which I am not particularly happy about. Attached a screen recording bellow.
We are now verifying this fix on Nightly and will make updates on it shortly.

Comment 11

[Timea Cernea [:tbabos][inactive]]

Attachment: Password Manager without fix

Comment 12

[Matthew N. [:MattN]]

Comment on attachment 9162043 [details]
Bug 1650961 - Restrict the clickjacking delay to credit card fields. r?abr

(In reply to Zibi Braniecki [:zbraniecki][:gandalf] from comment #9)

ride fx80 is enough.

I 100% disagree and agree with Timea. The patch applies cleanly and there is no reason to ship with the obvious user-facing regression on all form autocomplete dropdowns.

Beta/Release Uplift Approval Request

• User impact if declined: Every variant of form autocomplete popup includes an obnoxious visible security delay which the Principal Product/UX Designer doesn't approve of and isn't even necessary/required on most of the affected fields.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: Timea is verifying now
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Straightforward guard around this.delayPopupInput in highly-visible UI (I was pinged about this UI very quickly by multiple people) that has been on Nightly for 4 days.
• String changes made/needed: None

Comment 13

[Matthew N. [:MattN]]

[Tracking Requested - why for this release]: obvious user-facing regression on all form autocomplete dropdowns

Comment 14

[Matthew N. [:MattN]]

Beta try push: https://treeherder.mozilla.org/#/jobs?repo=try&revision=32e7c33c28355088aae157e335b970414200f74e

Edit: decision task failed on the first one so replaced it

Comment 15

[Timea Cernea [:tbabos][inactive]]

Thanks Matt!
Verified-fixed on latest Nightly 80.0a1 (2020-07-14) (64-bit) on Windows 10, MacOS 10.13 and Ubuntu 18.04.
The delay is now applied only for CC autofill dropdowns. Address and Password Manager autocomplete dropdowns are no longer affected by the delay.
Waiting for uplift to Beta to verify further.

Comment 16

[Zibi Braniecki [:zbraniecki][:gandalf]]

I disagree with myself, and I agree with Timea and MattN. We should uplift. Thank you for doing that!

Comment 17

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9162043 [details]
Bug 1650961 - Restrict the clickjacking delay to credit card fields. r?abr

Approved for 79.0b9.

Comment 18

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/e2fb5bb5b4fb

Comment 19

[Timea Cernea [:tbabos][inactive]]

Verified-fixed on latest Beta 79.0b9 on Windows 10, MacOS 10.13 and Ubuntu 18.04.