Closed Bug 544369 Opened 14 years ago Closed 14 years ago

SSL secured sites (like Yahoo mail): forms fields now "remember" previous entries

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252486

People

(Reporter: clivadas, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5

Signing into SSL secured web pages (https:// ...), such as most mail systems, ALWAYS used to ask me for every form field and NEVER remembered those entries -- i.e. I had to type it every time. (You wouldn't want your email id revealed to the next user at an internet cafe, would you?) Now it seems Firefox DOES remember, and lists those entries (for what... convenience? Trus me, I want convenience on every other form entry page, not my login pages).

Tsk, tsk... No good.

BTW, I've got Firefox 3.5.5. I hope you folks fix this real fast now.

My apologies if others have already alerted you to this -- I couldn't find another similar entry.

Reproducible: Always

Steps to Reproduce:
1. Go to the log in page.
2. Login with your user id and password
3. Log out, and shut down or navigate to another page.
4. Go back to the log in page.
5. Start typing your user id again -- it pops up in the drop-down list (when it shouldn't, and definitely didn't before.)
Actual Results:  
As mentioned above.

Expected Results:  
No list... must enter every time.
Is there a check mark in the box Remember Passwords for Sites, in the Security tab in the Options window? If you remove it, it shouldn't show your user ID and password.
Component: Security → General
QA Contact: firefox → general
(In reply to comment #1)
> Is there a check mark in the box Remember Passwords for Sites, in the Security
> tab in the Options window? If you remove it, it shouldn't show your user ID and
> password.

No, there is no check mark. However, even if there was, I don't believe it should remember anything on those ( https:// ) pages. I think form history should only be stored for regular pages (or at least an option should be given). And I would like to reiterate that it never did this 

Note again that I noticed it on the Yahoo! Mail log in page. It also happens on the Google Reader log in page ( https://www.google.com/accounts/ServiceLogin?hl=en ). I'll report others as I find them, and conversely let you know if it doesn't happen on other sites. Perhaps it is special only to large popular sites?
Also happening on the bugzilla log in now https://bugzilla.mozilla.org/index.cgi?logout=1

Has no one noticed that this happens now, and that it never happened before (in previous releases)?
The form Manager always stored data on https pages AFAIK, we have bug 252486 to add an option for that.
Each page can exclude every Form from remembering (autocomplete=off)
(In reply to comment #4)
> The form Manager always stored data on https pages AFAIK, we have bug 252486 to
> add an option for that.
> Each page can exclude every Form from remembering (autocomplete=off)

Nope, never used to do it on secure sites, AFAIK. Or at least it didn't on any versions I've used. Form field history never popped up on secure pages (otherwise your credit card number might always pop up on a shopping cart pages).

I think this is new.

Also, I don't want to have to turn autocomplete off since the feature is fantastic for regular pages/forms.
Not sure if this is relevant, but Chrome doing the same thing.
Safari and IE do not save secure form history -- they're still behaving well as of now.
>Also, I don't want to have to turn autocomplete off since the feature is
>fantastic for regular pages/forms.

I meant the page itself can turn the autocomplete off for each form field and that should work in every browser.

Firefox always stored Form fields on ssl pages, the credit card case is something that many users reported.
marking as dupe
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
(In reply to comment #5)

> I think this is new.

Yes it's new - since FireFox and SeaMonkey 2.x
Mozilla and SeaMonkey 1.x had an integrated Form Manager and the user had to deliberately choose to record form data.
Presumably anyone who chose to do this for a secure page knew what he was risking.

The new behaviour (automatic recording if the page programmer hasn't disabled it!) is a serious security flaw. Not even sure when (or even if) "autocomplete=off" became widely accepted - it isn't anywhere in my documentation and for some HTML versions W3C verification rightly complains.

I was seriously considering returning all my own and clients' computers to SM 1.1.18 (except my own personal machine which I can survey) - but Philip Chee has ported "Autofill Forms" to SM 2.x (thanks, Phil), so one can disable the inbuilt form completion and use this intelligent extension instead.
I guess it's available for FF as well.

Regards
Christophe

NB: this bug is NOT resolved
The issue is not new for the toolkit Form Manager but SM used the several year old Form Manager code that wasn't maintained anymore.
SM2.0 is now using the Toolkit Form Manager Code.

The duping to bug 252486 is correct in that case.
You need to log in before you can comment on or make changes to this bug.