Closed Bug 1765381 Opened 2 years ago Closed 2 years ago

Show Save Login only when user has interacted with the page

Categories

(Toolkit :: Password Manager, enhancement, P1)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox102 --- fixed

People

(Reporter: serg, Assigned: serg)

References

(Blocks 3 open bugs)

Details

Attachments

(1 file, 1 obsolete file)

Bug 1765381 - Show Save Login only when user has interacted with the page
48 bytes, text/x-phabricator-request
Details | Review

We can try to show Save login panel multiple times, on submit or navigation events. When page script modifies password fields (munge, encrypt, hash, clear, etc.) we notice the change and may offer to save modified data instead.

We should skip attempts to save login again when there were no user interaction since last save login operation.

Assignee: nobody → sgalich
Blocks: 1600397, 1757719
Severity: -- → S2
Priority: -- → P1
Summary: Do not save login unless there was a user interaction since last save time or it's the first time save → Do not save login again unless there was a user interaction since last save
Summary: Do not save login again unless there was a user interaction since last save → Repeat Save Login onlywhen user interaction since last save
Summary: Repeat Save Login onlywhen user interaction since last save → Show Save Login only when user has interacted with the page
Attachment #9273308 - Attachment description: WIP: Bug 1765381 - Show Save Login only when user has interacted with the page → Bug 1765381 - Show Save Login only when user has interacted with the page

Bug 1765990 will be used to add currently missing test coverage for user interaction tracking.

Blocks: 1765990
Attachment #9273672 - Attachment description: WIP: Bug 1765381 - Expose last user gesture timestamp; → Bug 1765381 - Expose last user gesture timestamp;
Depends on: 1766582

Comment on attachment 9273672 [details]
Bug 1765381 - Expose last user gesture timestamp;

Revision D144590 was moved to bug 1766582. Setting attachment 9273672 [details] to obsolete.

Attachment #9273672 - Attachment is obsolete: true

This is an interesting BUG report. I have seen a number of bug reports (as I am on the CC list for Paswword Manager bugs), for issues where internal site scripts alter the user provided password (and possibly the Password Manage provided one too), and it is then triggering a false drop-down for Password Update. I can understand the scripted encryption, so that the details can be passed to the Authentication Servers securely, and similar with Hashes I guess. No sure about "mungling", I suspect this is algorithm driven, to add a security layer for server to server data transfer?

Oddly enough, I have experience several times on different sites, where the password manager will suggest a secure password for a new password on a site not used before, and when it displays the key symbol to show it has saved it, once entered into that site, I get ANOTHER prompt to "update" it, but it is always the same password. Is that a related bug?

I see also that this bug is an Enhancement Type, but would it have more traction if changed to a Defect type, so it does not have to rely on voting?

Flags: needinfo?(sgalich)

(In reply to Tony Davis from comment #5)

.... No sure about "mungling", I suspect this is algorithm driven, to add a security layer for server to server data transfer?

I suspect this is used by some sites to wipe out password from browser process memory. This is not going to stop a real attacker who can read process memory. They can read it before the submit event, but it gives an extra sense of security and may help to stop low skilled attackers. After all for each really good attacker, there are thousands of less knowledgeable.

Oddly enough, I have experience several times on different sites, where the password manager will suggest a secure password for a new password on a site not used before, and when it displays the key symbol to show it has saved it, once entered into that site, I get ANOTHER prompt to "update" it, but it is always the same password. Is that a related bug?

Maybe, if you can provide a URL to such site, we can investigate!

I see also that this bug is an Enhancement Type, but would it have more traction if changed to a Defect type, so it does not have to rely on voting?

We've marked it as Enhancement because it improves the existing behavior. I can't say for sure, but I think when original version of login capture was written it was a different time, with simpler username-password-submit forms that didn't involve much of scripting. Don't worry, this is not going to get lost, I'm actively working on it as we speak.

Flags: needinfo?(sgalich)
Attachment #9273308 - Attachment description: Bug 1765381 - Show Save Login only when user has interacted with the page → WIP: Bug 1765381 - Show Save Login only when user has interacted with the page
Attachment #9273308 - Attachment description: WIP: Bug 1765381 - Show Save Login only when user has interacted with the page → Bug 1765381 - Show Save Login only when user has interacted with the page
Pushed by sgalich@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8fe249959041
Show Save Login only when user has interacted with the page r=tgiles,dimi

Backed out for mochitest failures on test_submit_without_field_modifications.html

Backout link: https://hg.mozilla.org/integration/autoland/rev/b47b6c1c5cb08b6895498058f10a902661e956a6
Log link: https://treeherder.mozilla.org/logviewer?job_id=376872468&repo=autoland&lineNumber=4011

Flags: needinfo?(sgalich)
Attachment #9273308 - Attachment description: Bug 1765381 - Show Save Login only when user has interacted with the page → WIP: Bug 1765381 - Show Save Login only when user has interacted with the page
Attachment #9273308 - Attachment description: WIP: Bug 1765381 - Show Save Login only when user has interacted with the page → Bug 1765381 - Show Save Login only when user has interacted with the page
Attachment #9273308 - Attachment description: Bug 1765381 - Show Save Login only when user has interacted with the page → WIP: Bug 1765381 - Show Save Login only when user has interacted with the page
Attachment #9273308 - Attachment description: WIP: Bug 1765381 - Show Save Login only when user has interacted with the page → Bug 1765381 - Show Save Login only when user has interacted with the page
Pushed by sgalich@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/dc0edbb7484d
Show Save Login only when user has interacted with the page r=tgiles,dimi,sfoster
Flags: needinfo?(sgalich)

https://hg.mozilla.org/mozilla-central/rev/dc0edbb7484d

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: