Closed Bug 227640 Opened 21 years ago Closed 21 years ago

password is saved even when the password field has autocomplete="off"

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.7

People

(Reporter: bugzilla, Assigned: bryner)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: fixed-aviary1.0)

Attachments

(1 file)

Check autocomplete for the password too.
1000 bytes, patch
bryner
: review+
Details | Diff | Splinter Review
Firebird seems to offer the user to save the password even when I have autocomplete="off" on my password field. on http://gemal.dk/test/autocomplete.html I have two forms. Mozilla should NOT offer to save any of the passwords. But Firebird offers to save the password on the first form which it shouldn't!
Firebird seems to check for autocomplete="off" on the username field but not on the password field.
This regressed between Aug 11 and Aug 16, implicating the new password manager, which is in Aug 12 builds and later. -> Password Manager
Assignee: hewitt → bryner
Component: Autocomplete → Password Manager
Keywords: regression
This appears to be blocking me from using my online banking service with Firebird. It's actually the *only* page I regularly go to that I cannot use Firebird for. From the guys in charge at www.nwolb.com: We have tested our service with Mozilla Firebird and, at this time, the browser has failed to meet our security standards. Our service includes code which is designed to remove any customer account information from your computer when you exit the service. This is intended to prevent subsequent unauthorised viewing of account information. We have found that Mozilla Firebird continues to store this information. We have contacted Mozilla regarding the concern and at this time they have been unable to offer us a solution. Until such time as Mozilla addresses our concerns and amends the behaviour of their browser we will not be able to support Mozilla Firebird. In the meantime we will continue to communicate with Mozilla on this issue and will test new versions of their browser as they become available.
Flags: blocking0.9?
(In reply to comment #3) > This appears to be blocking me from using my online banking service with > Firebird. It's actually the *only* page I regularly go to that I cannot use > Firebird for. > > From the guys in charge at www.nwolb.com: <snip> Are you sure you are still getting this? This should have been fixed by bug 66911 comment 73. I can get to the login page without problems with Firefox 0.8 (but not Konqueror, so they haven't completely stopped being idiots). That bug wasn't an issue of autocomplete=off anyway; rather they were sending the wrong HTTP headers and a bug in IE did what they wanted to do rather than using the correct ones.
Well, what do you know? That'll remind me to test my cases again before reporting them when I run across them looking at other bugs! Shame they haven't managed to get it working as nicely with Firebird as with IE, but it's much better than not working at all. ;-)
this is deliberate behaviour per http://lxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/base/nsPasswordManager.cpp#1024 however http://msdn.microsoft.com/workshop/author/dhtml/reference/properties/autocomplete.asp and http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/input_password.asp both explicitly state support for this on the password form element. Since this is ultimately a non-standard MS extension we're aping, we should probably be consistent here and disable saving the login in this case as well.
Bryner, can you take a look at this? I thought this was working but the testcase shows that's not the case.
Flags: blocking0.9? → blocking0.9+
Target Milestone: --- → Firefox0.9
(In reply to comment #6) > this is deliberate behaviour per > http://lxr.mozilla.org/mozilla/source/toolkit/components/passwordmgr/base/nsPasswordManager.cpp#1024 I know this is a much later revision, but I can't see where it's shown as deliberate...? Using very basic copy and paste skills (I've not much worked for COM... at all.) I created a simple patch that, in theory, should check the autocomplete attribute. I suppose this check almost goes better where it finds the password fields, but I figured I had a better chance of making it work where I put it. (since I don't have the setup to test building it.) Either way, this seems like a reasonable fix to me (of course, I wrote it...) - if this is really blocking 0.9. -[Unknown]
Attachment #149881 - Flags: review+
Fix checked in, branch and trunk
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Whiteboard: fixed-aviary1.0
see bug 245333 Firefox does not recognize the wallet.crypto.autocompleteoverride or have any other preferences to disable this behaviour. This behaviour used to work correctly in firefox 0.8 i.e. it used to save passwords even when autocomplete=off. please reopen
this bug is fixed and has no relation to whether there is an override pref. (As a note, we don't use wallet, so wallet prefs are mostly useless) bug 245333 is where all discussion on an override should go.
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: