Closed Bug 1708766 Opened 3 years ago Closed 3 years ago

login form info saved despite all login info save options disabled

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 88
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: vantrip16+bugzilla, Unassigned)

Details

(Keywords: privacy)

Attachments

(1 file)

firefoxOptions.jpg
55.61 KB, image/jpeg
Details
Attached image firefoxOptions.jpg

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0

Steps to reproduce:

(Windows 10 Pro X64 system)

  • Disabled all options under both "Logins and Passwords" and "Forms and Autofill" sections of user options.
  • Enabled "Enable HTTPS-Only Mode in all windows" under "HTTPS-mode only" user options
  • Confirmed there are no saved logins or passwords.
  • Cleared all cookies and history from browser.
  • Logged into user accounts at www.sidefx.com and www.aixterior.com
  • Logging into other websites (including bugzilla), those user IDs are displayed in the form dropdown for autofill

Actual results:

User IDs are displayed as autofill options in login name text entry field on websites despite all autofill options being disabled

Expected results:

No user ID history should be displayed or provided as an autofill option with all Autofill options disabled in user settings.

Group: firefox-core-security
Keywords: privacy

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Hi Van, thanks for taking the time to file this. My assumption is that you're running into the form history drop down menu. In your about:preferences, under "History" if you change "Remember history" to "Never remember history" and then activate "Clear History" on this particular profile, you should achieve the behavior you're looking for (i.e. no username text is displayed when you focus an input field).

The difference between autofill, autocomplete, and form history is very minute...so I think form history is the culprit here since you've disabled form autofill and the password manager.

Flags: needinfo?(vantrip16+bugzilla)

Hi Tim,
Apologies for the late reply, my machine was gone to be repaired.

Thanks for the explanation on what is occurring here. That does explain the issue, however I would like to note that the difference between form history and form auto-fill is indistinguishable from the user end in this case.

Unfortunately, disabling the history is not a practical solution as it would require me constantly logging back into the forums and other websites I visit frequently throughout each day. My primary concern with this issue is it may allow websites to scrape my existing login data from that history, but perhaps that's me being paranoid (with good reason, given the enormous privacy violations by Facebook and Google in recent years). For the sake of a more efficient workday, I'll just have to live with this particular quirk.

Thanks for checking this out, I appreciate your getting back to me with an explanation for what I was seeing.

Cheers,
Van

Flags: needinfo?(vantrip16+bugzilla)

Thanks again for filing Van, I'm resolving this as invalid. And, for what it's worth, I agree that form history and form auto-fill appear very similar and potentially could be something to improve in the future.

As an aside, I think you may be mixing up history and cookies. If you're logged into a site and you disabled your history, your cookies would not clear (i.e. you wouldn't need to log back in until that cookie expires). Additionally, websites do not have access to your form history until you select an entry from the drop down and that value is pasted into a particular input (i.e. you can view your form history and websites can't access that). I hope this helps clear up what is going on in your particular case!

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID

No problem, thanks Tim.

My apologies, when I delete history I typically blast everything away at the same time and mentally have lumped all the various types together - upon refreshing my perception of things, I more clearly realize what you were suggesting, sorry about that :D

Access to the form history by websites was indeed my primary concern, but it sounds like they are not in fact able to do that which is the assurance I need to quit wondering about it - thanks for the further clarification!

All the best,
Van

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: