Caps lock indicator in password fields

RESOLVED DUPLICATE of bug 259059

Status

()

RESOLVED DUPLICATE of bug 259059
8 years ago
8 years ago

People

(Reporter: jhill, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
(Note: this is filed as part of the “Paper Cut” bugs — we assume that there may be multiple existing bugs on this. Please make them block this bug, and we will de-dupe if they are indeed exactly the same. Thanks!)

To reproduce:
1. open a webpage with a login and password box
2. turn on caps lock
3. start typing in the password field (notice missing indication of caps lock)

Recommendation:
Add a caps lock indicator when the caps lock is on and a password field has focus.
Google Chrome does this.
(Reporter)

Updated

8 years ago
Depends on: 259059
Component: General → Layout: Form Controls
Product: Firefox → Core
QA Contact: general → layout.form-controls

Updated

8 years ago
Whiteboard: [parity-chrome]
Implementing this would be a security issue if you actually use Caps Lock for its intended purpose. This is one of those bugs where the fix is a benefit for users who aren't using something properly at the expense of those who are.

Comment 2

8 years ago
I agree with Russell.

And Google Chrome doesn't do this, at least not on my end.
(In reply to comment #2)
> I agree with Russell.

I'm not sure I understand the argument. How does the indicator cause a security issue?

Please note that many users (not you, of course) accidentally activate the CAPS LOCK key without realizing it, and end up frustrated at their inability to login with their well-remembered password.

Comment 4

8 years ago
My understanding is that an indicator could be used by XSS (or something) to steal the user's password (or at least narrow the possible passwords down). AND it's easy to hide the keyboard on a desktop, but it's not so easy to hide the screen, if you have someone potentially spying on you when you enter your password.

I know what happens with "many" users. But we could find arguments that would last us all year. I could, at least. There's a notification light in the keyboard (which is where inexperienced users look at when they're typing their passwords!!!), and I think that's plenty. But this may be a case, from my side, of "don't help the stupids", so maybe I'm biased? I'm ok with this feature, personally, it's just that I also agree with Russell. There's a downside to it, I believe, but it may not be dire enough to outweigh the upside.

Comment 5

8 years ago
(In reply to comment #4)
> My understanding is that an indicator could be used by XSS (or something) to
> steal the user's password (or at least narrow the possible passwords down).
This argument is completely false. The page's scripts do not have access to the indicator or the pixels on the screen.

> it's easy to hide the keyboard on a desktop, but it's not so easy to hide the
> screen, if you have someone potentially spying on you when you enter your
> password.
The indicator does not affect this at all. While the indicator is shown, you could hold down the shift key to type lower-case letters anyway.

Even if the indicator were extremely slow and the page used timing attacks, it would not reduce the number of possibilities that the page would have to test because lower-case letters can always be typed even with the caps lock key on.

Comment 6

8 years ago
> The indicator does not affect this at all. While the indicator is shown, you
> could hold down the shift key to type lower-case letters anyway.

Correction: on OS X, caps lock does not allow the typing of lower-case letters. Even so, the way that we implement this should not create an XSS vulnerability. You would still have be cautious of people standing behind you anyway.

Comment 7

8 years ago
I stand corrected.

Comment 8

8 years ago
Chrome and Safari do this on OS X by using the native widgets, afaik.

(Chrome and Safari on Windows do not have this functionality.)
Whiteboard: [parity-chrome]

Comment 9

8 years ago
The Windows User Experience Guidelines recommends that this should be done for password boxes. "Use balloons to prevent frustration by alerting users of special conditions as soon as they happen (for example, exceeding maximum input size or setting Caps Lock on by mistake)."

http://msdn.microsoft.com/en-us/library/aa511451.aspx

Comment 10

8 years ago
That's probably outdated? Windows 7 doesn't tell the user on a ballon, but rather on a notification bellow... I mean, in the logon screen at least. I'm not aware that there's any other notification.
No longer blocks: 565517
Status: NEW → RESOLVED
Last Resolved: 8 years ago
No longer depends on: 259059
Resolution: --- → DUPLICATE
Duplicate of bug: 259059
You need to log in before you can comment on or make changes to this bug.