Form action property saved by password manager not accessible from JavaScript for extension developing.




12 years ago
10 years ago


(Reporter: sebastian.tschan, Unassigned)


1.8 Branch

Firefox Tracking Flags

(Not tracked)



(1 attachment)



12 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv: Gecko/20070220 Firefox/
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de; rv: Gecko/20070220 Firefox/

The Mozilla Foundation Security Advisory 2007-02 ( states that "The Firefox password manager was altered to take into account the destination site of the password data and only replay when a form's destination matches the one that was saved."

But this property (the destination site / form action attribute) isn't accessible through JavaScript for extension developers to take into account - Especially Login extensions should be able to use it.

So far, the only properties you can get by using nsIPasswordManager and the Interfaces nsIPassword and nsIPasswordInternal are
- host
- password
- user
- passwordFieldName
- userFieldName

Reproducible: Always

Steps to Reproduce:
Nothing to reproduce, just an important property not accessible for Extension Developers.
Actual Results:  
Nothing to reproduce, just an important property not accessible for Extension Developers.

Expected Results:  
Nothing to reproduce, just an important property not accessible for Extension Developers.

It is just the form action attribute saved by Password Manager since the last Firefox release (Version, that should be made accessible to extension developers through JavaScript, so login extensions can make use of the additional security aspect.
Is this an issue for any existing extensions?

Comment 2

12 years ago
Yes, for Secure Login for example:
This was implemented temporarily on trunk, by attachment 262187 [details] [diff] [review] to bug 373253. Trunk then switched to the new Login Manager code, which replaces all the old interfaces with new ones.
Ever confirmed: true

Comment 4

12 years ago
Thanks, Justin for the new LoginManager in Firefox 3.0a5 - this resolves the issue here.
Will there be a fix for Firefox 2 as well?
Created attachment 282209 [details] [diff] [review]
Patch, work in progress
The last attachment has the relevant bits extracted from the older trunk patch I mentioned in comment #3...

dveditz, is this something that can be taken on branch?


11 years ago
Version: unspecified → 2.0 Branch
Sure, but you'll have to implement it as a new _MOZILLA_1_8_BRANCH interface instead of changing the existing iface.

Sounded like Sebastian also wanted changes to nsIPasswordInternal, for password entry information, not just a change for adding passwords. A change to that interface would also have to undergo branch uglification.

Ugly, but allows old extensions to keep working and updated extensions can work equally well in new and old versions by detecting whether or not the new interface exists.
I think this is essentially WONTFIX at this point. FF3 is out, and there doesn't seem to be a pressing need to get this in FF2. If someone wants to do the legwork to polish up the proof-of-concept here for the 1.8 branch, and write a set of tests for it, then I *might* be willing to take it... But that seems unlikely, and there's not much point in keeping the bug around just waiting for FF2 support to officially EOL.
Last Resolved: 11 years ago
Resolution: --- → WONTFIX


10 years ago
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.