2001459 - DisablePasswordReveal enterprise policy no longer hides the show password button

Status: VERIFIED FIXED

(Firefox :: about:logins, defect)

Description

[Mike Kaply [:mkaply]]

I have no idea when this started (it was a while ago).

We have a policy called DisablePasswordReveal that used to remove the show password eye from about:logins.

It was implemented a long time ago in Firefox 71 (unfortunately with no test).

As of now, it doesn't work.

Oddly, all of the infrastructure to make it work is still in the password manager:

https://searchfox.org/firefox-main/source/browser/components/aboutlogins/AboutLoginsParent.sys.mjs#320

passwordRevealVisible: Services.policies.isAllowed("passwordReveal"),

but about:logins doesn't appear to be honoring that passwordRevealVisible flag anymore.

This clearly happened a while ago, but no one noticed.

Comment 1

[j]

Attachment: Group Policy object affected by DisablePasswordReveal

I'm not sure what the expected behavior of this policy setting is since I've never seen it functional. My understanding was it affected right clicking inside the password box and accessing 'reveal password' context menu item.

From firefox.adml

<string id="DisablePasswordReveal">Do not allow passwords to be revealed in saved logins</string>
<string id="DisablePasswordReveal_Explain">If this policy is enabled, the user cannot show passwords in saved logins.

If my assumption is correct, this would also go hand in hand with a about:config setting that no longer exists:

layout.forms.reveal-password-context-menu.enabled

Comment 2

[Mike Kaply [:mkaply]]

It's supposed to make the eye not display in the password manager (that's what it used to do)

https://bugzilla.mozilla.org/show_bug.cgi?id=1586913

https://searchfox.org/mozilla-esr78/source/browser/components/aboutlogins/content/components/login-item.js#865

Comment 3

[Mike Kaply [:mkaply]]

That code still exists:

https://searchfox.org/firefox-main/source/browser/components/aboutlogins/content/components/login-item.mjs#973

But code was added to unhide it when editing.

https://searchfox.org/firefox-main/source/browser/components/aboutlogins/content/components/login-item.mjs#989

Comment 4

[Mike Kaply [:mkaply]]

Yep, that was the problem.

I think I'll add a test for it this time.

Comment 5

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1654665

:mtigley, since you are the author of the regressor, bug 1654665, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 6

[Mike Kaply [:mkaply]]

So I figured out what happened with the test.

When this feature was originally implemented, the reveal button showed when creating a new entry.

This was changed so that we just always show the password during creation and the reveal button is not visible at all.

Since the test was checking for whether or not the reveal button was visible, it continued to pass.

Comment 7

[Mike Kaply [:mkaply]]

Attachment: Bug 2001459 - Don't show reveal button if DisablePasswordReveal policy is set. r?mtigley

Comment 8

[Pulsebot]

Pushed by mozilla@kaply.com:
https://github.com/mozilla-firefox/firefox/commit/1e84ee418f19
https://hg.mozilla.org/integration/autoland/rev/db29592c6377
Don't show reveal button if DisablePasswordReveal policy is set. r=mtigley,credential-management-reviewers

Comment 9

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/db29592c6377

Comment 10

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/db29592c6377

Comment 11

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:mkaply, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
  • See https://wiki.mozilla.org/Release_Management/Requesting_an_Uplift for documentation on how to request an uplift.
• If no, please set status-firefox146 to wontfix.

For more information, please visit BugBot documentation.

Comment 12

[Phabricator Automation]

firefox-beta Uplift Approval Request

• User impact if declined: Broken policy behavior reported by customer
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: Just moves some existing code.
• String changes made/needed: None
• Is Android affected?: no

Comment 13

[Mike Kaply [:mkaply]]

Attachment: Bug 2001459 - Don't show reveal button if DisablePasswordReveal policy is set.

Original Revision: https://phabricator.services.mozilla.com/D273648

Comment 14

[Phabricator Automation]

firefox-esr140 Uplift Approval Request

• User impact if declined: Broken policy behavior reported by customer
• Code covered by automated testing: yes
• Fix verified in Nightly: yes
• Needs manual QE test: no
• Steps to reproduce for manual QE testing:
• Risk associated with taking this patch: low
• Explanation of risk level: Just moves some existing code.
• String changes made/needed: None
• Is Android affected?: no

Comment 15

[Mike Kaply [:mkaply]]

Attachment: Bug 2001459 - Don't show reveal button if DisablePasswordReveal policy is set.

Original Revision: https://phabricator.services.mozilla.com/D273648

Comment 16

[Alin Ilea, Desktop Test Engineering]

Verified - Fixed in Nightly 147.0a1 (2025-11-27). The password reveal button is not displayed when the DisablePasswordReveal policy is applied.

Comment 17

[Pulsebot]

https://github.com/mozilla-firefox/firefox/commit/78d5fc71c2fd
https://hg.mozilla.org/releases/mozilla-beta/rev/0369f6dacf1a

Comment 18

[Pulsebot]

https://hg.mozilla.org/releases/mozilla-esr140/rev/86a5f2059e2f

Comment 19

[Alin Ilea, Desktop Test Engineering]

Verified - Fixed in Beta 146.0(build id: 20251201213807) and 140.6.0esr(build id: 20251201132345). The password reveal button is not displayed when the DisablePasswordReveal policy is applied. Also the policy is displayed under Active in about:policies, with the value true.