Closed Bug 1724136 Opened 3 months ago Closed 16 days ago

Password Manager fails when username is on one page and password is on another

Categories

(Toolkit :: Password Manager, defect, P2)

defect

Tracking

()

RESOLVED FIXED
94 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- disabled
firefox91 --- disabled
firefox92 --- disabled
firefox93 --- wontfix
firefox94 --- fixed

People

(Reporter: eros_uk, Assigned: dimi)

References

(Depends on 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Further to a discussion with dveditz on #security:mozilla.org, there appears to be an issue when a different domain is used for login process.

In this case:
From login.ubuntu.com to ubuntuforums.org.

STR

  1. on ubuntuforums.org click the "login with SSO" button. I had already created an account with login.ubuntu.com, but hadn't logged into ubuntuforums yet.
  2. autofill name and password and click submit (this is fine)
  3. I get a "Personal Data Request" page that says ubuntuforums.org wants to know my name/address -- typical OAuth. On this page there's a hidden openid.usernamesecret hidden field, with the hidden label "Leave this field blank to prove your humanity". Firefox has filled in my email address there.
  4. submit the form
  5. get the "bad robot" text

Notes

  • The issue started in Nightly 91
  • Turning off Autofill logins and passwords in Settings prevents the problem

Also: https://ubuntuforums.org/showthread.php?t=2464990

Regressed by: 1708455

The markup of the form (In my case the form is hidden):

<form action="" method="POST" name="decideform">
<div style="display: none;">
    <label>Leave this field blank to prove your humanity
        <input type="text" name="openid.usernamesecret" value="">
    </label>
</div>
</form>
Severity: -- → S3
Priority: -- → P2

Hey Dimi, is there a chance we'll be able to fix this regression in the 93 time frame?

Flags: needinfo?(dlee)

(In reply to Julien Cristau [:jcristau] from comment #3)

Hey Dimi, is there a chance we'll be able to fix this regression in the 93 time frame?

Hi Julien,
Probably not :(
Since my plan is to enable multi-page login form support in 94, I'll try to fix this in 94.

Flags: needinfo?(dlee)
Assignee: nobody → dlee
Status: NEW → ASSIGNED

Thanks for the pointers. I guess bug 1721971 means this bug does not currently affect release, just nightly?

(In reply to Julien Cristau [:jcristau] from comment #5)

Thanks for the pointers. I guess bug 1721971 means this bug does not currently affect release, just nightly?

yes, nightly and early beta.

Since _getFormFields calls getUsernameFieldFromUsernameOnlyForm,
we don't have to call getUsernameFieldFromUsernameOnlyForm in onFormSubmit.
Instead, We can just use the result of _getFormFields to know whether an username-only
form is submitted.
This also makes sure we use the site recipe while check if the form is a
username-only form during form submission.

Depends on D124339

Keywords: leave-open
Pushed by dlee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a8ca5104f6f8
P1. Support filtering out username-only forms by site recipes r=sfoster,tgiles
https://hg.mozilla.org/integration/autoland/rev/3a0f70175d72
P2. Restructure onFormSubmit function r=sfoster,tgiles
Depends on: 1247245

Hi Timea, The patch is landed in 94 and the recipe is also in the RemoteSettting now, could you help verify whether this is fixed? thanks!

Flags: needinfo?(timea.babos)

Hi Dimi, something might've changed with the page since I am not able to reach the "Personal Data Request" page mentioned by the reporter. After hitting submit, I will reach the My Account page.

Hi erosman, could you please check this out if it is fixed on your side? Should be fixed in the latest Firefox Nightly 94 build, please download it from here: https://www.mozilla.org/en-US/firefox/channel/desktop/. Please make sure to Download the Nightly build and let us know how it goes.

Flags: needinfo?(timea.babos) → needinfo?(eros_uk)

I have been using it with Autofill logins and passwords set to unchecked which bypasses the bug.

I tested it right now with the latest Nightly and above checked and there was no problem, so it is fixed for the site/test-case that was mentioned in the initial post.

Flags: needinfo?(eros_uk)

Thanks for the fast check!

Dimi, seems like this is safe to be marked as Fixed.

Status: ASSIGNED → RESOLVED
Closed: 16 days ago
Resolution: --- → FIXED
Keywords: leave-open
Target Milestone: --- → 94 Branch
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.