Password autofill is enabled on insecure pages
Categories
(GeckoView :: General, defect, P1)
Tracking
(firefox88 wontfix, firefox89 wontfix, firefox90 fixed)
People
(Reporter: jwkbugzilla, Assigned: agi)
References
Details
(Keywords: sec-moderate, Whiteboard: [geckoview:m90][adv-main90+])
Attachments
(2 files, 1 obsolete file)
I generally consider autofill without user interaction problematic (see https://palant.info/2018/08/29/password-managers-please-make-sure-autofill-is-secure/#5-require-a-user-action-for-autofill). However, Mozilla already decided that it is a justified risk on secure websites, and that’s the behavior implemented on desktop. What’s different on mobile: autofill is also enabled for insecure websites (plain HTTP). This is because of signon.autofillForms.http preference being true by default on mobile but not on desktop.
I can see that this behavior was introduced in bug 1330111. I cannot see a discussion about security implications there, so I have to assume that this is an unintended side-effect. This change pre-dates Fenix, maybe things worked differently with Fennec.
|
||
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
This is because of signon.autofillForms.http preference being true by default on mobile but not on desktop.
Do we follow this preference? Agi do you know why this is true on mobile while disabled on desktop?
This one is very important to get right with the upcoming credit card and address autofill work.
|
Assignee | |
Comment 2•4 years ago
|
||
Likely oversight, esawin might know more.
|
Reporter | |
Comment 3•4 years ago
|
||
As I said, this behavior was introduced in bug 1330111 – see first patch, named “Always attempt to autocomplete on type=password fields upon focus.” See also bug 1330111 comment 69. I don’t really understand the reasoning but that’s probably because the Fennec implementation was considerably different.
|
||
Comment 4•4 years ago
|
||
This also predates my involvement, but seems deliberate. Would need to look in detail on why that was enabled for Fennec and whether that's still a required workaround for GV.
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
|
||
Nominating for inclusion into GV 90 to make sure that at least credit card autofill is only available on secure pages.
|
|
Assignee | |
Comment 6•4 years ago
|
||
Looked into it a little bit. The change is deliberate here: https://bugzilla.mozilla.org/show_bug.cgi?id=1330111#c69 and this has been the behavior for a long time, so I'm not sure that leaving this bug restricted makes sense.
We should probably display a warning for HTTP logins, similar to what happens on desktop
Looks like we can disable the flag on Fenix and the effect will be that users have to click on the login field to autofill, which seems appropriate for HTTP pages.
Note that just setting the pref to false does not disallow autofilling on HTTP pages, it just requires user interaction.
|
|
||
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 7•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 8•4 years ago
|
||
Cleanup mobile.js r=aklotz
https://hg.mozilla.org/integration/autoland/rev/5317bf4bca8960c8daedd814b0763a8bc0af75b0
https://hg.mozilla.org/mozilla-central/rev/5317bf4bca89
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
|
||
Comment 9•4 years ago
|
||
|
|
||
Comment 10•4 years ago
|
||
|
|
||
Updated•4 years ago
|
|
|
||
Updated•3 years ago
|
Description
•