Closed Bug 1724136 Opened 2 years ago Closed 1 year ago

Password Manager fails when username is on one page and password is on another

Categories

(Toolkit :: Password Manager, defect, P2)

defect

Tracking

()

VERIFIED FIXED
94 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox-esr91 --- disabled
firefox91 --- disabled
firefox92 --- disabled
firefox93 --- wontfix
firefox94 --- verified

People

(Reporter: eros_uk, Assigned: dlee)

References

(Depends on 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(2 files)

Further to a discussion with dveditz on #security:mozilla.org, there appears to be an issue when a different domain is used for login process.

In this case:
From login.ubuntu.com to ubuntuforums.org.

STR

  1. on ubuntuforums.org click the "login with SSO" button. I had already created an account with login.ubuntu.com, but hadn't logged into ubuntuforums yet.
  2. autofill name and password and click submit (this is fine)
  3. I get a "Personal Data Request" page that says ubuntuforums.org wants to know my name/address -- typical OAuth. On this page there's a hidden openid.usernamesecret hidden field, with the hidden label "Leave this field blank to prove your humanity". Firefox has filled in my email address there.
  4. submit the form
  5. get the "bad robot" text

Notes

  • The issue started in Nightly 91
  • Turning off Autofill logins and passwords in Settings prevents the problem

Also: https://ubuntuforums.org/showthread.php?t=2464990

Regressed by: 1708455
Has Regression Range: --- → yes

The markup of the form (In my case the form is hidden):

<form action="" method="POST" name="decideform">
<div style="display: none;">
    <label>Leave this field blank to prove your humanity
        <input type="text" name="openid.usernamesecret" value="">
    </label>
</div>
</form>
Severity: -- → S3
Priority: -- → P2

Hey Dimi, is there a chance we'll be able to fix this regression in the 93 time frame?

Flags: needinfo?(dlee)

(In reply to Julien Cristau [:jcristau] from comment #3)

Hey Dimi, is there a chance we'll be able to fix this regression in the 93 time frame?

Hi Julien,
Probably not :(
Since my plan is to enable multi-page login form support in 94, I'll try to fix this in 94.

Flags: needinfo?(dlee)
Assignee: nobody → dlee
Status: NEW → ASSIGNED

Thanks for the pointers. I guess bug 1721971 means this bug does not currently affect release, just nightly?

(In reply to Julien Cristau [:jcristau] from comment #5)

Thanks for the pointers. I guess bug 1721971 means this bug does not currently affect release, just nightly?

yes, nightly and early beta.

Since _getFormFields calls getUsernameFieldFromUsernameOnlyForm,
we don't have to call getUsernameFieldFromUsernameOnlyForm in onFormSubmit.
Instead, We can just use the result of _getFormFields to know whether an username-only
form is submitted.
This also makes sure we use the site recipe while check if the form is a
username-only form during form submission.

Depends on D124339

Keywords: leave-open
Pushed by dlee@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a8ca5104f6f8
P1. Support filtering out username-only forms by site recipes r=sfoster,tgiles
https://hg.mozilla.org/integration/autoland/rev/3a0f70175d72
P2. Restructure onFormSubmit function r=sfoster,tgiles
Depends on: 1247245

Hi Timea, The patch is landed in 94 and the recipe is also in the RemoteSettting now, could you help verify whether this is fixed? thanks!

Flags: needinfo?(timea.babos)

Hi Dimi, something might've changed with the page since I am not able to reach the "Personal Data Request" page mentioned by the reporter. After hitting submit, I will reach the My Account page.

Hi erosman, could you please check this out if it is fixed on your side? Should be fixed in the latest Firefox Nightly 94 build, please download it from here: https://www.mozilla.org/en-US/firefox/channel/desktop/. Please make sure to Download the Nightly build and let us know how it goes.

Flags: needinfo?(timea.babos) → needinfo?(eros_uk)

I have been using it with Autofill logins and passwords set to unchecked which bypasses the bug.

I tested it right now with the latest Nightly and above checked and there was no problem, so it is fixed for the site/test-case that was mentioned in the initial post.

Flags: needinfo?(eros_uk)

Thanks for the fast check!

Dimi, seems like this is safe to be marked as Fixed.

Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Keywords: leave-open
Target Milestone: --- → 94 Branch
Flags: qe-verify+

Hi erosman, I was not able to reproduce the issue before the fix. I know you already check in Nightly build, but would it possible for you to check against latest Beta 94 (just to make sure that issue is fixed on release version)?.

Thank you so much.

Flags: needinfo?(eros_uk)

Tested on Win7 with 94.0b8 (http://ftp.mozilla.org/pub/firefox/releases/94.0b7/win64/en-US/Firefox%20Setup%2094.0b7.exe) and the bug appears to be fixed.

Flags: needinfo?(eros_uk)

Closing based on previous comment and since not reproducing on Beta 94.0b8 on Win10 and Ubuntu 20.4.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.