Password is not auto-filled on accounts.google.com with a hidden username field

RESOLVED WORKSFORME

Status

()

--
enhancement
RESOLVED WORKSFORME
7 years ago
4 years ago

People

(Reporter: dean.prog, Unassigned)

Tracking

(Depends on: 1 bug)

10 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
Created attachment 603114 [details]
Google's Login Page

The password manager is not usable when you have more than one account at a site which does not include a username field on the same page as the password field. Google does this (screenshot attached) as well as some banks.

Happens: Always

Steps to reproduce:

 * Create multiple GMail accounts

 * Visit http://gmail.com/  Log in to each account (allow firefox to save passwords)

 * Delete all google cookies

 * Visit http://gmail.com/

 * OK: can type/select username and then password field is automatically filled-in.

 * finish the login

 * Wait for login to time-out (can simulate this by deleting all google cookies EXCEPT "LSID" cookie to accounts.google.com)

 * Visit http://gmail.com/

 * NOT OK: Google presents login page, but no username field is present (username displayed in a span element; also exists in a hidden input field, but that does not seem to tip off firefox either), so password manager can not fill in password.



It would be really nice if there were a way to insert the password on sites that do this. Due to the difficulty of extracting the user name, I would not expect firefox to auto-fill the correct password for the current account (my bank web page puts the user name and password fields on completely separate pages which would make that completely impossible).

One possible solution/interface: Display a list of known logins for the current site in the popup menu you get from right-clicking on the password field:

 [  Undo                  ]
 [  Cut                   ]
 [  Copy                  ]
 [  ...                   ]
 [  Insert Password For:  ]
 [    dean@serenevy.net   ]
 [    bob@example.com     ]

Upon selecting one of the login names, the corresponding password would be inserted into the password field.

If no username is known for one or more password, display either "UNKNOWN USER 1", "UNKNOWN USER 2", ... or perhaps the first 2-3 characters of the password followed by stars: "foo*********", "bar**********" in place of the username in the popup menu (though the security risk may not be desirable there).

Thank you.

Updated

5 years ago
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Hello Dean, thanks for the detailed steps to reproduce.

(In reply to Dean Serenevy from comment #0)
>  * NOT OK: Google presents login page, but no username field is present
> (username displayed in a span element; also exists in a hidden input field,
> but that does not seem to tip off firefox either), so password manager can
> not fill in password.

In this case we should probably try to fill in the password based on the username in the hidden input. No additional UI should be necessary for this.
Summary: Password Manager usability when no username field present → Password is not auto-filled on accounts.google.com with a hidden username field
Does the username actually exist as a hidden input element? We don't do any explicit checks for that, so it should already work.
Comment 0 claims that it is but I didn't try to reproduce the bug to confirm for myself.
(In reply to Dean Serenevy from comment #0)

>  * Wait for login to time-out (can simulate this by deleting all google
> cookies EXCEPT "LSID" cookie to accounts.google.com)

This doesn't work for me. I just get tossed back to the full login page (i.e., with both username and password inputs).
(Reporter)

Comment 5

5 years ago
Created attachment 799423 [details]
Google Login Page (2013)
Attachment #603114 - Attachment is obsolete: true
(Reporter)

Comment 6

5 years ago
Created attachment 799424 [details]
Google Login HTML (2013)

Well, they seem to have changed their code in the year and a half since I reported the bug. However it still happens if you wait for your login to time out - I couldn't find the right combination of cookies to delete to trigger it manually.

However, I've attached an updated screenshot and a copy of the HTML. The relevant section is:

<div class="email-div">
  <label for="Email"><strong class="email-label">Email</strong></label>
  <input type="hidden"
  name="Email" id="Email" value="duelafn@gmail.com"
 >
  <input type="hidden" name="PersistentCookie" value="yes">
  <span id="reauthEmail" class="reauth">duelafn@gmail.com</span>
</div>
<div class="passwd-div">
  <label for="Passwd"><strong class="passwd-label">Password</strong></label>
  <input type="password" name="Passwd" id="Passwd"
  >
</div>
Duplicate of this bug: 888664
This is related to bug 551948 so I'm copying my comment from there:

(Quoting Matthew N. [:MattN] from bug 551948 comment #4)
> The reason the hidden input doesn't work is because we don't allow hidden
> inputs to be usernames [1]. a readonly or disabled username input should
> work along with the display:none trick. After bug 1119067, the standard way
> of doing this would be <input type=hidden value=someusername
> autocomplete=username />.
> 
> Without using @autocomplete, we could also search <input type=hidden /> and
> see if any have a value that matches a username we know about.
> 
> [1] https://mxr.mozilla.org/mozilla-central/source/toolkit/components/passwordmgr/LoginManagerContent.jsm?rev=12a7e4dd8949#346
Status: UNCONFIRMED → NEW
Depends on: 1119067
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
See Also: → bug 551948
Google has fixed this on their end AFAICT as they now use <input type="email" class="hidden"> with the style: 
.hidden {
    height: 0px;
    width: 0px;
    overflow: hidden;
    visibility: hidden;
    display: none !important;
}

Reopen if you are still seeing a problem with this. Multiple accounts are properly handled this way too.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.