Show Save Login only when user has interacted with the page
Categories
(Toolkit :: Password Manager, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox102 | --- | fixed |
People
(Reporter: serg, Assigned: serg)
References
(Blocks 3 open bugs)
Details
Attachments
(1 file, 1 obsolete file)
We can try to show Save login panel multiple times, on submit or navigation events. When page script modifies password fields (munge, encrypt, hash, clear, etc.) we notice the change and may offer to save modified data instead.
We should skip attempts to save login again when there were no user interaction since last save login operation.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Comment 2•2 years ago
|
||
Bug 1765990 will be used to add currently missing test coverage for user interaction tracking.
Comment 3•2 years ago
|
||
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Comment on attachment 9273672 [details]
Bug 1765381 - Expose last user gesture timestamp;
Revision D144590 was moved to bug 1766582. Setting attachment 9273672 [details] to obsolete.
Comment 5•2 years ago
|
||
This is an interesting BUG report. I have seen a number of bug reports (as I am on the CC list for Paswword Manager bugs), for issues where internal site scripts alter the user provided password (and possibly the Password Manage provided one too), and it is then triggering a false drop-down for Password Update. I can understand the scripted encryption, so that the details can be passed to the Authentication Servers securely, and similar with Hashes I guess. No sure about "mungling", I suspect this is algorithm driven, to add a security layer for server to server data transfer?
Oddly enough, I have experience several times on different sites, where the password manager will suggest a secure password for a new password on a site not used before, and when it displays the key symbol to show it has saved it, once entered into that site, I get ANOTHER prompt to "update" it, but it is always the same password. Is that a related bug?
I see also that this bug is an Enhancement Type, but would it have more traction if changed to a Defect type, so it does not have to rely on voting?
Assignee | ||
Comment 6•2 years ago
|
||
(In reply to Tony Davis from comment #5)
.... No sure about "mungling", I suspect this is algorithm driven, to add a security layer for server to server data transfer?
I suspect this is used by some sites to wipe out password from browser process memory. This is not going to stop a real attacker who can read process memory. They can read it before the submit event, but it gives an extra sense of security and may help to stop low skilled attackers. After all for each really good attacker, there are thousands of less knowledgeable.
Oddly enough, I have experience several times on different sites, where the password manager will suggest a secure password for a new password on a site not used before, and when it displays the key symbol to show it has saved it, once entered into that site, I get ANOTHER prompt to "update" it, but it is always the same password. Is that a related bug?
Maybe, if you can provide a URL to such site, we can investigate!
I see also that this bug is an Enhancement Type, but would it have more traction if changed to a Defect type, so it does not have to rely on voting?
We've marked it as Enhancement because it improves the existing behavior. I can't say for sure, but I think when original version of login capture was written it was a different time, with simpler username-password-submit forms that didn't involve much of scripting. Don't worry, this is not going to get lost, I'm actively working on it as we speak.
Updated•2 years ago
|
Updated•2 years ago
|
Pushed by sgalich@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8fe249959041 Show Save Login only when user has interacted with the page r=tgiles,dimi
Comment 8•2 years ago
|
||
Backed out for mochitest failures on test_submit_without_field_modifications.html
Backout link: https://hg.mozilla.org/integration/autoland/rev/b47b6c1c5cb08b6895498058f10a902661e956a6
Log link: https://treeherder.mozilla.org/logviewer?job_id=376872468&repo=autoland&lineNumber=4011
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Pushed by sgalich@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/dc0edbb7484d Show Save Login only when user has interacted with the page r=tgiles,dimi,sfoster
Assignee | ||
Updated•2 years ago
|
Comment 10•2 years ago
|
||
bugherder |
Description
•