Multiple unrelated usernames suggested in Humblebundle.com login
Categories
(Toolkit :: Password Manager: Site Compatibility, defect, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox105 | --- | fixed |
People
(Reporter: tamma00, Assigned: janika)
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Steps to reproduce:
Go to about:logins and create multiple new dummy logins with following credentials:
Website: https://www.humblebundle.com/login?
Username: User
Password: Pass
Website: https://www.example.com
Username: Unrelated
Password: Unrelated
Go to https://www.humblebundle.com/login? and reject or accept all cookies when offered. In my testing it made no difference in the Email/Username field with only the number of cookies being higher at 14 when accepted vs 7 when rejected.
Press CTRL+F5 to do a cache bypass.
Click on the Email field.
Both dummy logins are suggested despite the example.com one being completely unrelated. This even extends to old passwords or phrases entered in form history.
For example changing example.com username to NewUnrelated the website still offers nonexistent Unrelated username in the field despite password manager no longer containing that.
Actual results:
Firefox suggests unrelated usernames for humblebundle.com login at https://www.humblebundle.com/login? regardless if cookies are rejected or accepted. Is this expected behavior by Firefox?
Expected results:
Firefox should only suggest domain related logins by default.
|
||
Comment 1•3 years ago
|
||
:tomorrow thank you for filing this bug. I can not reproduce with these specific steps, but I'm noticing that username on humblebundle.com is not detected as part of Logins (autocomplete dropdown doesn't have "View all saved logins" entry). It looks like a regular Form History.
If you remove example.com login from your about:logins and restart browser, do you still see unexpected choices?
Indeed. But this only happens after i reload the page at least once after Firefox restart.
For some reason after the restart the first visit is normal but subsequent refreshes trigger the bugged behavior.
I even deleted site data and cookies but those incorrect terms are offered probably from global form history. Even after removing example.com and restarting Firefox it still offers 3 names in the field. One that was deleted previously and the Unrelated one that i also deleted.
If i use Clear all History and delete everything except active logins then nothing is offered for the Email box and Username is offered for the Password box.
|
||
Comment 3•3 years ago
|
||
(In reply to Sergey Galich [:serg] from comment #1)
but I'm noticing that username on humblebundle.com is not detected as part of Logins (autocomplete dropdown doesn't have "View all saved logins" entry).
Yes, the problem is that the password manager does NOT mark the username field as a username field. More precisely, this line is not called.
This is because the password field of the form is disabled when the page is loaded, and when that happens, we won't call markAsLoginManagerField on the username field . The password field is re-enabled soon after the page is loaded, so it looks like the password field is enabled in the first place.
The quickest solution would probably be putting the markAsLoginManagerField code before the disabled and readOnly check, but I'm not sure if this is what we want because that affects the behavior on forms when its password fields is always disabled or readOnly. An alternative would be listening to attribute change, but that requires more work.
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
Assignee | |
Comment 4•3 years ago
|
||
|
|
Assignee | |
Comment 5•3 years ago
|
||
Depends on D153589
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
|
||
Updated•3 years ago
|
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/84de15534de9
https://hg.mozilla.org/mozilla-central/rev/d7d83f53bf77
Description
•