Open Bug 1731143 Opened 4 years ago Updated 4 years ago

Ability to disable password autofill + generation on a per site basis

Categories

(Toolkit :: Password Manager, enhancement, P3)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 92
Type:
enhancement

Tracking

()

Status:
ASSIGNED

People

(Reporter: mczack, Assigned: serg)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36

Steps to reproduce:

  1. Turn on Strong Password Generation
  2. Browse to sites where certain fields trigger the password generation
  3. Passwords generated goes against certain internal policies (I know), or Firefox offers to generate a password in a non-password field.

Expected results:

We'd like a preference to be able to disable this from a site by site level OR disable only strong preference generation

The Bugbug bot thinks this bug should belong to the 'Toolkit::Form Autofill' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Form Autofill
Product: Firefox → Toolkit
Component: Form Autofill → Password Manager

(In reply to Zack McCauley from comment #0)

  1. Passwords generated goes against certain internal policies (I know), or Firefox offers to generate a password in a non-password field.

Can you point to an example or a reduced test case where Firefox is offering to generate a password on a non-password field? Is this a type=password input that is used for some other content that should be masked?

Flags: needinfo?(mczack)

We've had folks report it on our internal benefits portal (I've not been able to replicate this) for items like SSN/ID numbers that are *'d out.

We'd like a preference to be able to disable this from a site by site level OR disable only strong preference generation

Using signon.generation.enabled = false in the additional preferences control for policies works for our immediate need but is a bit overkill so we're gonna push back hard as well.

Ideally this could be extended to password manager exclusions (including generation, password save prompts, and autofill) for specified sites.

Flags: needinfo?(mczack)

Zack, what might work for you is if you're able to add the internal benefits portal to the "Exceptions" list in about:preferences -> Privacy & Security -> Logins and Passwords -> Exceptions. I don't know if you're able to add websites to that list via policy or not (I'm assuming you mean some enterprise policy that is loaded into Firefox, I'm not very familiar with how we handle things like that...it's outside my wheelhouse), that's something I would need to look up.

items like SSN/ID numbers that are *'d out.

Sounds like these input fields are using type=password in order to hide the currently shown characters. We could work around this, but we would have to look at "hints" on the input field itself to determine if it's really a password input or not. We might have something like this in the backlog already, I'll search around sometime for it.

NI'ing myself so I can visit this later.

Flags: needinfo?(tgiles)

Hey Zack, can you get us the SSN/ID field HTML from the internal benefits portal? Knowing what this field looks like can help give us hints as to whether or not we should use it as a password field or not.

Flags: needinfo?(tgiles) → needinfo?(mczack)

Adding :mkaply to CC list.

I can look into adding a policy interface for adding exceptions.

I checked and Chrome doesn't have anything like this.

Idea for password field - provide a way to specify the password policy in the HTML so we can generate the correct thing. Plus then the password policy would be a defined thing (instead of the horribleness we have on the web today)

(In reply to Mike Kaply [:mkaply] from comment #7)

Idea for password field - provide a way to specify the password policy in the HTML so we can generate the correct thing. Plus then the password policy would be a defined thing (instead of the horribleness we have on the web today)

I believe there is a way to specify it in HTML https://developer.apple.com/documentation/security/password_autofill/customizing_password_autofill_rules , but I don't know how much it is adopted or supported.

(In reply to Sergey Galich from comment #8)

I believe there is a way to specify it in HTML https://developer.apple.com/documentation/security/password_autofill/customizing_password_autofill_rules , but I don't know how much it is adopted or supported.

Yes, the passwordrules attribute is still under discussion. We are not supporting it now, I believe Chrome and Safari don't support the attribute as well.

Enhancements are N/A.

Assignee: nobody → sgalich
Severity: -- → N/A
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P3
Flags: needinfo?(mczack)
You need to log in before you can comment on or make changes to this bug.