Password Manager fails when username is on one page and password is on another
Categories
(Toolkit :: Password Manager, defect, P2)
Tracking
()
People
(Reporter: eros_uk, Assigned: dlee)
References
(Depends on 1 open bug, Regression)
Details
(Keywords: regression)
Attachments
(2 files)
Further to a discussion with dveditz on #security:mozilla.org, there appears to be an issue when a different domain is used for login process.
In this case:
From login.ubuntu.com to ubuntuforums.org.
STR
- on
ubuntuforums.orgclick the "login with SSO" button. I had already created an account withlogin.ubuntu.com, but hadn't logged into ubuntuforums yet. - autofill name and password and click submit (this is fine)
- I get a "Personal Data Request" page that says
ubuntuforums.orgwants to know my name/address -- typical OAuth. On this page there's a hidden openid.usernamesecret hidden field, with the hidden label "Leave this field blank to prove your humanity". Firefox has filled in my email address there. - submit the form
- get the "bad robot" text
Notes
- The issue started in Nightly 91
- Turning off Autofill logins and passwords in Settings prevents the problem
|
||
Comment 1•3 years ago
|
||
If you've
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 2•3 years ago
|
||
The markup of the form (In my case the form is hidden):
<form action="" method="POST" name="decideform">
<div style="display: none;">
<label>Leave this field blank to prove your humanity
<input type="text" name="openid.usernamesecret" value="">
</label>
</div>
</form>
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Comment 3•3 years ago
|
||
Hey Dimi, is there a chance we'll be able to fix this regression in the 93 time frame?
|
|
Assignee | |
Comment 4•3 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #3)
Hey Dimi, is there a chance we'll be able to fix this regression in the 93 time frame?
Hi Julien,
Probably not :(
Since my plan is to enable multi-page login form support in 94, I'll try to fix this in 94.
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Comment 5•3 years ago
|
||
Thanks for the pointers. I guess bug 1721971 means this bug does not currently affect release, just nightly?
|
|
Assignee | |
Comment 6•3 years ago
|
||
(In reply to Julien Cristau [:jcristau] from comment #5)
Thanks for the pointers. I guess bug 1721971 means this bug does not currently affect release, just nightly?
yes, nightly and early beta.
|
|
||
Comment 7•3 years ago
|
||
Great, thank you.
|
|
Assignee | |
Comment 8•3 years ago
|
||
|
|
Assignee | |
Comment 9•3 years ago
|
||
Since _getFormFields calls getUsernameFieldFromUsernameOnlyForm,
we don't have to call getUsernameFieldFromUsernameOnlyForm in onFormSubmit.
Instead, We can just use the result of _getFormFields to know whether an username-only
form is submitted.
This also makes sure we use the site recipe while check if the form is a
username-only form during form submission.
Depends on D124339
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 10•3 years ago
|
||
Pushed by dlee@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a8ca5104f6f8 P1. Support filtering out username-only forms by site recipes r=sfoster,tgiles https://hg.mozilla.org/integration/autoland/rev/3a0f70175d72 P2. Restructure onFormSubmit function r=sfoster,tgiles
|
||
Comment 11•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Comment 12•3 years ago
|
||
Hi Timea, The patch is landed in 94 and the recipe is also in the RemoteSettting now, could you help verify whether this is fixed? thanks!
|
||
Comment 13•3 years ago
|
||
Hi Dimi, something might've changed with the page since I am not able to reach the "Personal Data Request" page mentioned by the reporter. After hitting submit, I will reach the My Account page.
Hi erosman, could you please check this out if it is fixed on your side? Should be fixed in the latest Firefox Nightly 94 build, please download it from here: https://www.mozilla.org/en-US/firefox/channel/desktop/. Please make sure to Download the Nightly build and let us know how it goes.
|
Reporter | |
Comment 14•3 years ago
|
||
I have been using it with Autofill logins and passwords set to unchecked which bypasses the bug.
I tested it right now with the latest Nightly and above checked and there was no problem, so it is fixed for the site/test-case that was mentioned in the initial post.
|
|
||
Comment 15•3 years ago
•
|
||
Thanks for the fast check!
Dimi, seems like this is safe to be marked as Fixed.
|
|
Assignee | |
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
||
Comment 16•3 years ago
|
||
Hi erosman, I was not able to reproduce the issue before the fix. I know you already check in Nightly build, but would it possible for you to check against latest Beta 94 (just to make sure that issue is fixed on release version)?.
Thank you so much.
|
|
Reporter | |
Comment 17•3 years ago
•
|
||
Tested on Win7 with 94.0b8 (http://ftp.mozilla.org/pub/firefox/releases/94.0b7/win64/en-US/Firefox%20Setup%2094.0b7.exe) and the bug appears to be fixed.
|
|
||
Comment 18•3 years ago
|
||
Closing based on previous comment and since not reproducing on Beta 94.0b8 on Win10 and Ubuntu 20.4.
|
|
||
Updated•3 years ago
|
Description
•