Closed Bug 333080 Opened 18 years ago Closed 17 years ago

autocomplete=off should yield a one-time informational dialog

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Version:
1.8.0 Branch
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: rlaager, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060324 Ubuntu/dapper Firefox/1.5.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060324 Ubuntu/dapper Firefox/1.5.0.1

As I explained here: https://launchpad.net/distros/ubuntu/+source/firefox/+bug/38513/+index

"I was really frustrated when the password saving didn't work for me. It took me quite a bit of searching to find the solution. I'm a "power" user. What is the average user supposed to do? Even if we're not going to give them an option to override the site's suggestion, we should at least inform them why their browser isn't following their preferences. If Firefox is offering to remember passwords on most sites, it's confusing for there to be some exceptions."

I suggest something like this:
"This site has requested that browsers not save form data (e.g. usernames, passwords, etc.).

[ ] Show this message when a site blocks autocompletion

[OK]"

Reproducible: Always

Steps to Reproduce:
1. Visit http://wellsfargo.com or another site that uses autocomplete=off
2. Enter your login information
3. Click submit

Actual Results:  
The password manager does not offer to save the password.

Expected Results:  
The expected result is that the password manager will do its job. However, it's clear that Firefox is going to honor the bank's wishes even when that's silly.

Given the sad reality of this situation, I expect that Firefox will (at least once) tell me what has happened. When this first happened to me, I looked all around my prefs to see if there was something missing, then tried to think of other sites to test with, etc. I then started Googling on vague search terms about Firefox failing to remember passwords. I eventually found out about autocomplete=off. A simple warning with a "Show this again"-type box (unchecked by default) would've been sufficient to inform me that it was the intended behavior.
Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.8) Gecko/20051111 Firefox/1.5 - Build ID: 2005111116
Confirmed. That would be a good thing to do.
Perhaps not a dialog box, but an information bar at the top of the screen (a la popup blocker)?
URL: http://wellsfargo.comhttp://wellsfargo.com/
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 1.5.0.x Branch
That would be acceptable too.
Banking I understand, but here's the problem: sites like Yahoo Mail (and others) use autocomplete=off. Having this 'feature' (see #63961) leaves it open to abuse by anyone.

What if autocomplete=off is only honoured for SSL connections? That way, banks shouldn't bitch, and a little user control is wrested back.
Isn't autocomplete=off just an easy way to avoid password storage? If a website really wants to keep the browser from *using* a stored password then alternating form element name's/id's would also do the trick to prevent semi-automatic logins. This would then also annoy those who do not want the server to decide on this. The latter, however, would still store the used-only-once username/password combinations (never to be used again, but stored anyhow), which might introduce security problems that are worse than the annoyance some feel when honoring autocomplete=off?

See http://wssg.berkeley.edu/SecurityInfrastructure/reports/AutoComplete/#Test%20Changing%20Form%20Value%20Names
To clarify my earlier comment: I think Firefox should, by default, always honor the autocomplete=off *without* any dialog or notification. Even more: when it finds a field that has this property set, I feel it should no longer list the already known names, nor complete the already known passwords for the selected name, and clear all existing stored names and passwords (see bug 362576).

Use case: personnel that can access sensitive data of clients, and though instructed not to allow for remembering passwords, might still choose Yes when shown the one-time only dialog about what happened. This is not about their own bank account, and it's not only experienced users who use Firefox. Let those who're annoyed download some add-on, enable some hidden feature such as in bug 318667, or complain at the web site maker!
Adding popups like this, even "one time" only, is annoying and I can't see us ever doing this.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.