Option to Unhide Entry of Password (AKA "show password" equivalent for current mobile app/webpage idiom)
Categories
(Core :: Layout: Form Controls, enhancement)
Tracking
()
Tracking | Status | |
---|---|---|
firefox96 | --- | fixed |
People
(Reporter: david, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug, )
Details
(Keywords: dev-doc-complete)
Attachments
(6 files, 6 obsolete files)
Reporter | ||
Comment 2•14 years ago
|
||
Comment 3•14 years ago
|
||
Reporter | ||
Comment 4•14 years ago
|
||
Comment 5•13 years ago
|
||
Reporter | ||
Comment 6•13 years ago
|
||
Comment 7•13 years ago
|
||
Comment 8•13 years ago
|
||
Reporter | ||
Comment 9•13 years ago
|
||
Comment 10•11 years ago
|
||
Comment 11•11 years ago
|
||
Reporter | ||
Comment 13•11 years ago
|
||
Updated•10 years ago
|
Comment 16•9 years ago
|
||
Comment 17•9 years ago
|
||
Comment 18•9 years ago
|
||
Comment 19•9 years ago
|
||
Reporter | ||
Comment 20•9 years ago
|
||
Comment 21•9 years ago
|
||
Comment 22•9 years ago
|
||
Comment 23•9 years ago
|
||
Reporter | ||
Comment 24•9 years ago
|
||
Comment 25•9 years ago
|
||
Comment 26•9 years ago
|
||
Comment 27•9 years ago
|
||
Comment 28•9 years ago
|
||
Comment 29•9 years ago
|
||
Comment 30•9 years ago
|
||
Comment 31•9 years ago
|
||
Comment 32•9 years ago
|
||
Comment 33•9 years ago
|
||
Comment 35•9 years ago
|
||
Comment 36•9 years ago
|
||
Comment 37•9 years ago
|
||
Updated•9 years ago
|
Updated•9 years ago
|
Updated•9 years ago
|
Comment 38•9 years ago
|
||
Comment 39•9 years ago
|
||
Comment 40•9 years ago
|
||
Reporter | ||
Comment 41•9 years ago
|
||
Comment 42•9 years ago
|
||
Comment 43•7 years ago
|
||
Comment 45•6 years ago
|
||
Comment 46•4 years ago
|
||
I raised this recently on Reddit, hoping to see this feature as the other major browsers have this and I really miss it!
https://reddit.com/r/firefox/comments/frpsp6/will_firefox_get_show_password_feature_like_other/
Assignee | ||
Comment 47•3 years ago
|
||
I tend to think we urgently need to implement this. There's clearly a user need for temporarily unmasking the text in password fields.
Assignee | ||
Comment 48•3 years ago
•
|
||
Here's the iconography in Edge on Win10, fwiw.
Assignee | ||
Comment 49•3 years ago
|
||
Assignee | ||
Comment 50•3 years ago
|
||
Do we already have SVGs for those symbols by any chance?
Assignee | ||
Comment 51•3 years ago
|
||
Here's a quick hack that seems to work to mask/unmask the value.
Just need SVG icons and add toggling between those...
Assignee | ||
Comment 52•3 years ago
|
||
I found these that looks good to me:
browser/components/aboutlogins/content/icons/password.svg
browser/components/aboutlogins/content/icons/password-hide.svg
Assignee | ||
Comment 53•3 years ago
|
||
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 54•3 years ago
|
||
Comment 56•3 years ago
|
||
The input probably shouldn't lose the focus ring after you click the button. FWIW I expect backlash from web developers unless the fill of the icon is the same as the text color (and we don't add any backgrounds, probably, or they're very subtle so that they don't alter the general design).
Assignee | ||
Comment 57•3 years ago
|
||
The input probably shouldn't lose the focus ring after you click the button.
Ah, good catch, I didn't even notice :-)
FWIW I expect backlash from web developers unless the fill of the icon is the same as the text color
Right, I haven't really looked at the SVGs at all so far. It appears background-color
works fine, but it doesn't use color
. I'll look into that, thanks!
Comment 58•3 years ago
|
||
I think the icon is using context-fill so it might just work if you add -moz-context-properties
.
My other potential concern with landing something like this is that pages that provide their own toggle (like Google or such) will look out of sync, which is a bit unfortunate but maybe we just have to live with that?
Can we try to coordinate with other browsers on this or something?
Assignee | ||
Comment 59•3 years ago
|
||
I think the icon is using context-fill so it might just work if you add -moz-context-properties.
Thanks, I'll try that.
My other potential concern with landing something like this is that pages that provide their own toggle (like Google or such) will look out of sync
IMHO, sites that makes assumptions about what a specific UAs <input type=password>
looks like are broken by design. Not that that stops web developers from still doing that of course, so I get what you're saying... :-)
maybe we just have to live with that?
I think so yeah, but I guess we can give a heads-up to major sites that we know are doing that.
Can we try to coordinate with other browsers on this or something?
I'm hoping the csswg issue I filed would spark some discussion / co-ordination. One way to get UAs to converge on this would be if the HTML spec would recommend that password fields have a built-in unmasking button, not normatively perhaps, but at least informatively as a good practice.
Assignee | ||
Comment 60•3 years ago
|
||
BTW, regarding the focus issue, given that I copied the styling from ::-moz-search-clear-button
, I checked and it looks like <input type=search>
has the same focus issue...
Assignee | ||
Comment 61•3 years ago
|
||
FWIW I expect backlash from web developers unless the fill of the icon is the same as the text color
FYI, if you try this in Edge on Win10: data:text/html,<input type=password style="background:black; color:red">
you'll se that Edge doesn't honor the color at all, so the password reveal button is invisible. Funny enough they also have the same problem with focus - when you click the reveal button the control loses focus, and not only that, if you click outside it and then focus it again and type more text the button never shows up again.
It looks like their control is even buggier than what I have so far...
BTW, -moz-context-properties: fill; fill: currentColor;
fixed the color issue for me.
I'll look into the focus issue tomorrow...
Assignee | ||
Comment 62•3 years ago
|
||
Jamie, is there anything you would like regarding accessibility if we add this password reveal button?
Does Edge on Windows have some special a11y for their reveal button?
Comment 63•3 years ago
|
||
Thanks for asking. Do I have to do anything special in Edge to get the password reveal button to show up? If I do:
data:text/html,<input type="password">
Even when I type something, I can't see the button appear anywhere in the accessibility tree. Either its a11y is busted or it isn't showing up at all. I can't confirm the latter as I don't have any sighted help at the moment.
In any case, if we're displaying a button visually, this should probably be exposed in the a11y tree as a separate labelled control outside of the input and it should also be tabbable. I imagine those things are going to be tricky to implement, though, because I'm guessing the anonymous button is created inside the text field (I don't know that code well enough to be sure).
Is this for desktop or both desktop and Android? If desktop, a context menu entry might be a suitable workaround for keyboard and screen reader users, albeit less discoverable. That's not going to work for Android, though.
Comment 64•3 years ago
|
||
Thanks Mats for working on this! I like this solution a lot as it solves it for all users across the board.
I think it would be good to raise this at https://github.com/whatwg/html/issues for coordination with others as well as to indicate that password fields can contain such additional controls. Safari seems to have some custom UI inside password controls already, albeit it for password management. Chrome has nothing as far as I can tell.
Questions:
- Does the state of the button take into account the computed value of
input-security
? It seems this would be important to not be out-of-sync with websites. - Does the state of the button affect the computed style
input-security
? E.g., if the user toggles it, does that change the computed value observable to the website? I'm not sure what the right behavior here is, but this might be something we have to specify as part of HTML integration.
If we decide to ship this I think it would be worth making some noise about it, e.g., with a blog post on Hacks. That way web developers have a heads up of sorts.
Assignee | ||
Comment 65•3 years ago
|
||
(In reply to Anne (:annevk) from comment #64)
I think it would be good to raise this at https://github.com/whatwg/html/issues for coordination with others as well as to indicate that password fields can contain such additional controls.
Sure, I filed https://github.com/whatwg/html/issues/7293.
Safari seems to have some custom UI inside password controls already, albeit it for password management.
Yeah, it's kind of a dropdown menu; they could add a menu item for it there I suppose.
Chrome has nothing as far as I can tell.
I think someone mentioned they enable it in some situations / platforms... although I don't know details.
Given that Edge is now built on Chromium it should be easy for Chrome to add it, assuming Microsoft has/will upstream it.
- Does the state of the button take into account the computed value of
input-security
?
No, I believe input-security
is harmful to users and should be removed from the css-ui spec. I've filed https://github.com/w3c/csswg-drafts/issues/6788 about that.
If we decide to ship this I think it would be worth making some noise about it, e.g., with a blog post on Hacks. That way web developers have a heads up of sorts.
Yup, sounds good to me.
Assignee | ||
Comment 66•3 years ago
|
||
(In reply to James Teh [:Jamie] from comment #63)
Do I have to do anything special in Edge to get the password reveal button to show up?
Nope, just entering some text makes it show up. And deleting all text hides it again.
I'm copying that behavior, setting visibility:hidden
when it's empty.
Even when I type something, I can't see the button appear anywhere in the accessibility tree.
OK, maybe they don't have a11y support for it then... let me know if you find out more later.
I'll try to ask someone working on Edge if I can figure out who to ask.
this should probably be exposed in the a11y tree as a separate labelled control outside of the input
Yeah, that sounds reasonable.
and it should also be tabbable.
I'm not sure that's possible to implement, or even desirable. If the reveal button is tabbable it will disrupt tabbing to the next control in the form, which I think will be surprising to most users. I suspect that's going to be regarded as a regression and not desirable.
I'm guessing the anonymous button is created inside the text field.
Correct, it's inside the text field.
Is this for desktop or both desktop and Android?
Both, I hope, although I haven't really tested it on any mobile platforms yet, so I'm not sure how well it works there...
If desktop, a context menu entry might be a suitable workaround for keyboard and screen reader users, albeit less discoverable.
Yes, I was planning on adding a context menu item and some keyboard command for it.
That's not going to work for Android, though.
Hmm, I thought we had context menus on Android too? (when you long tap it) (I could be wrong since I don't use Android)
Comment 67•3 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #55)
Does this UI look OK so far?
Thanks for sharing this. In addition to the working through a11y and potential compat issues I think we should connect with UX and product folks before landing anything. I'll make sure this gets on their radar.
Comment 68•3 years ago
|
||
Or landing behind a pref at least.
Comment 69•3 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #66)
and it should also be tabbable.
I'm not sure that's possible to implement, or even desirable. If the reveal button is tabbable it will disrupt tabbing to the next control in the form, which I think will be surprising to most users. I suspect that's going to be regarded as a regression and not desirable.
Perhaps... but on the other hand, having it not tabbable means it can't be discovered/accessed as easily by keyboard users. Yes, we could have a keyboard shortcut or a context menu entry, but that's not particularly discoverable. I assume the whole reason we're doing this as a button instead of a context menu entry for mouse users is discoverability/ease of access.
I'm guessing the anonymous button is created inside the text field.
Correct, it's inside the text field.
That's going to be a problem for a11y and is possibly why Edge doesn't expose it. A11y needs this to be outside of the text field. I guess we could try to hack around that in the a11y engine, but I'm not sure how yet.
Hmm, I thought we had context menus on Android too? (when you long tap it) (I could be wrong since I don't use Android)
You might well be right. I don't use Android either. :)
Comment 70•3 years ago
|
||
Google folks said they got several bug reports when they tried to show a button like this by default. The issue being that web sites have a similar functionality already and then there might be two different looking buttons to do basically the same thing.
Comment 71•3 years ago
|
||
(In reply to Brian Grinstead [:bgrins] from comment #67)
(In reply to Mats Palmgren (:mats) from comment #55)
Does this UI look OK so far?
Thanks for sharing this. In addition to the working through a11y and potential compat issues I think we should connect with UX and product folks before landing anything. I'll make sure this gets on their radar.
As per product folks, this would be a good component to a larger revamp of the passwords and login experience - which is on the radar but not currently prioritized. Given potential compat issues (Comment 70) and a11y engineering work (Comment 69) I'll suggest that enabling this by default stays on the backlog until then.
Reporter | ||
Comment 72•3 years ago
|
||
This bug report is "well in hand". I am removing myself from receiving further E-mail about it.
Assignee | ||
Comment 73•3 years ago
|
||
(In reply to James Teh [:Jamie] from comment #69)
That's going to be a problem for a11y and is possibly why Edge doesn't expose it.
OK, I added aria-hidden=true to hide it. Turns out we already do that for the up/down buttons inside number controls:
https://searchfox.org/mozilla-central/rev/a12c2c2e59c92d8f969d8f3f290ab16919449c9d/layout/forms/nsTextControlFrame.cpp#370
(I guess we should probably do that to the Clear button inside <input type=search>
too -- I'll file a separate bug about that)
Assignee | ||
Comment 74•3 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #70)
Google folks said they got several bug reports when they tried to show a button like this by default.
Well, Edge has this button so I think it should be fine for us to ship it too.
Assignee | ||
Comment 75•3 years ago
|
||
It's controlled by the pref:
layout.forms.input-type-show-password-button.enabled
Enable it by default in Nightly for testing purposes.
Assignee | ||
Updated•3 years ago
|
Comment 76•3 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #73)
OK, I added aria-hidden=true to hide it. Turns out we already do that for the up/down buttons inside number controls:
While I'm struggling to come up with another solution here, I'd point out that the up/down buttons for number controls and the clear search button all have very intuitive keyboard equivalents: up/down arrows and escape (or control+a then delete), respectively. Hiding the show password button makes the feature inaccessible to screen reader users. Having it not tabbable makes it inaccessible to keyboard users. Adding a context menu entry makes it accessible, but not discoverable, which means it is less accessible to keyboard/screen reader users than it is to mouse users (by virtue of it not being easily discoverable).
All this is to say that while landing this behind a pref is fine, these issues need to be sorted out properly before we even consider shipping it. Otherwise, we'll have the same situation we have with native video controls: authors will continue to rely on custom implementations because native web browser implementations have serious a11y problems.
Comment 77•3 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #66)
and it should also be tabbable.
I'm not sure that's possible to implement, or even desirable. If the reveal button is tabbable it will disrupt tabbing to the next control in the form, which I think will be surprising to most users.
Will it, though? Custom implementations of the reveal password button are probably tabbable, unless authors explicitly set tabindex="-1". And why would they do that? If there's a control discoverable to mouse users, why shouldn't it be similarly discoverable by keyboard users?
Assignee | ||
Comment 78•3 years ago
|
||
(ni? emilio for help fixing the context menu item)
Updated•3 years ago
|
Comment 79•3 years ago
|
||
I think this is nicer, should persist the state across reframes, and is
less special.
Comment 80•3 years ago
|
||
input/textarea tests in browser_contextmenu.js are disabled :-(
Depends on D130661
Updated•3 years ago
|
Assignee | ||
Comment 81•3 years ago
|
||
Comment on attachment 9249808 [details]
Bug 502258 - Simplify implementation of "show password" / "clear" button. r=mats
(folded into part 1)
Updated•3 years ago
|
Assignee | ||
Comment 82•3 years ago
|
||
(In reply to James Teh [:Jamie] from comment #76)
I'd point out that the up/down buttons for number controls and the clear search button all have very intuitive keyboard equivalents: up/down arrows and escape (or control+a then delete), respectively.
True, but please note that neither of the keyboard commands you mentioned are discoverable at all. A user must have learned them beforehand to know that they can use them. (Granted, keyboard users most likely are familiar with them, just saying that they aren't discoverable.)
Adding a context menu entry makes it accessible, but not discoverable
I disagree, a context menu item is discoverable. Less so than a focusable control, but still more discoverable than the keyboard commands mentioned above, which are not present in the context menu (although we might want to add a "Clear" context menu item for search input elements). We can add an accelerator key for it too, if that's desirable. I'll leave that for UX folks to decide, but that shouldn't block landing this in Nightly for testing purposes.
Comment 83•3 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #82)
I'd point out that the up/down buttons for number controls and the clear search button all have very intuitive keyboard equivalents: up/down arrows and escape (or control+a then delete), respectively.
True, but please note that neither of the keyboard commands you mentioned are discoverable at all. A user must have learned them beforehand to know that they can use them. (Granted, keyboard users most likely are familiar with them, just saying that they aren't discoverable.)
That's fair. I guess I'm arguing that prior familiarity with established conventions/patterns is an acceptable substitute for discoverability here. In contrast, there isn't really an established convention/pattern for keyboard access to reveal a password (except tabbing to a button).
I disagree, a context menu item is discoverable. Less so than a focusable control
Right; I should have said "less discoverable". My argument is: if we see the need to make it more clearly discoverable for mouse users (who could also use the context menu), that suggests we think it's not sufficiently discoverable for them. In that case, we have to ask why the same logic doesn't apply for keyboard users.
Assignee | ||
Comment 84•3 years ago
|
||
(In reply to James Teh [:Jamie] from comment #83)
In that case, we have to ask why the same logic doesn't apply for keyboard users.
That's fair, but I just don't see a way to do that, besides the context menu item and possibly adding an accelerator key. I don't think making this button focusable is an option. Both because it will likely require major surgery to implement (might be impossible actually), and secondly because it interrupts tabbing to the next form control which I suspect will be surprising and undesirable new behavior to many users. It's worth noting that both Edge and Safari have a button inside their password control and they chose to not make it focusable. All things considered, I think that's the right trade-off for us too.
That said, I don't feel strongly about the focusability, so if someone can supply patches that implements that in a reasonable way that's fine with me. I don't see that as blocking landing (and enabling) this in Nightly though.
BTW, for the screen reader case, a11y has access to the DOM so it seems to me it could easily retrieve the password in clear text and present that to AT through some function if we want.
Comment 85•3 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #84)
In that case, we have to ask why the same logic doesn't apply for keyboard users.
That's fair, but I just don't see a way to do that, besides the context menu item and possibly adding an accelerator key. I don't think making this button focusable is an option. Both because it will likely require major surgery to implement (might be impossible actually), and secondly because it interrupts tabbing to the next form control which I suspect will be surprising and undesirable new behavior to many users.
Perhaps, but you could argue having the control visible at all will be surprising new behaviour. Also, this is what already happens with at least some custom reveal password buttons.
It's worth noting that both Edge and Safari have a button inside their password control and they chose to not make it focusable. All things considered, I think that's the right trade-off for us too.
Their choices don't necessarily mean that's what's best for users. There are multiple articles discussing accessibility issues in native HTML widgets and how these are often why authors end up choosing custom implementations over native ones. I worry this will be yet another example of that.
Updated•3 years ago
|
Assignee | ||
Comment 86•3 years ago
|
||
Comment on attachment 9249809 [details]
Bug 502258 - part 2 - Implement "Toggle show password" context menu correctly. r=mats!,Gijs!
(I merged the two parts.)
Updated•3 years ago
|
Comment 87•3 years ago
|
||
Comment 89•3 years ago
|
||
Comment 90•3 years ago
|
||
Comment 91•3 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/68ad8a7fd3cc
https://hg.mozilla.org/mozilla-central/rev/31d134fa6717
https://hg.mozilla.org/mozilla-central/rev/dc02bbd4d4cf
Updated•3 years ago
|
Comment 93•3 years ago
|
||
FF96 docs work for this in https://github.com/mdn/content/issues/10855. Essentially it is just an update to the Experimental firefox features page to reveal the preference, and a minor update to HTML/Element/input/password to note this behaviour as another possible browser implementation behaviour.
I think it is too early to do much more - e.g. browser compatibility data updates, until the discussion proceeds to a more concrete specification in https://github.com/whatwg/html/issues/7293
Description
•