Closed
Bug 735734
Opened 12 years ago
Closed 12 years ago
Form autocomplete popup shows up on focus
Categories
(Firefox for Android Graveyard :: General, defect)
Tracking
(blocking-fennec1.0 -)
RESOLVED
WORKSFORME
Tracking | Status | |
---|---|---|
blocking-fennec1.0 | --- | - |
People
(Reporter: martijn.martijn, Assigned: Margaret)
References
Details
I noticed 730478, comment 10: " (In reply to Chris Peterson (:cpeterson) from comment #9) > On my Galaxy S II, autocomplete seems to work correctly, though I get an > unfiltered autocomplete box with all possible suggestions *before* I type > anything. I don't expect the suggestion list until after I start typing. The unfiltered list is by design. We want "less typing", so we show the list right away. " This might have security implications, see for instance bug 270697. When autocomplete popups appear on focus, it is very easy to steal form autocomplete data.
Reporter | ||
Updated•12 years ago
|
Summary: Form autocomplete popup shows up on autocomplete → Form autocomplete popup shows up on focus
Reporter | ||
Comment 1•12 years ago
|
||
Here you can enter some autocomplete entries by filling in the input and submitting. http://people.mozilla.org/~mwargers/tests/forms/autocomplete_forms/autofocus_input.html Then load this url: http://people.mozilla.org/~mwargers/tests/forms/autocomplete_forms/autofocus_inputs_multiple.html The form autocomplete popup moves over all over the place here.
Updated•12 years ago
|
blocking-fennec1.0: --- → ?
Assignee | ||
Comment 2•12 years ago
|
||
We actively decided to make the suggestion list appear when the user taps on the input, so it seems switching from a focus listener to a click would listener fix the "popup moves all over the place" problem. As for the security threat, we only listen for click events on the native popup to fill the element with a autocomplete suggestion value, so I don't think there's a way for a malicious website to get at these suggestions (there's no "pressing the down arrow" to scroll through suggestions).
Assignee: nobody → margaret.leibovic
Assignee | ||
Comment 3•12 years ago
|
||
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #1) > Then load this url: > http://people.mozilla.org/~mwargers/tests/forms/autocomplete_forms/ > autofocus_inputs_multiple.html Thinking about this bug more, I think this is a pretty unrealistic testcase. Also, if a field is already focused, a user is most likely going to start typing, not tap on the input to try to make suggestions appear, so I think showing the suggestions on focus is better than on tap. I think it's more common that a website will give focus to an input field the user is about to fill out, than for a website randomly giving focus to different input elements, so I think what we did in bug 711177 is correct. Given that there isn't a security threat, I think we should WONTFIX this bug.
Reporter | ||
Comment 4•12 years ago
|
||
And there is no security problem here? Desktop Firefox doesn't show form autocomplete popup by untrusted web content for a reason.
Assignee | ||
Comment 5•12 years ago
|
||
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #4) > And there is no security problem here? Desktop Firefox doesn't show form > autocomplete popup by untrusted web content for a reason. I believe the security concern on desktop (at least from bug 270697) was that the website could see the suggestions because we used to fill the input box as the user used the keyboard to scroll through the suggestions. This isn't a problem with fennec since we we're not filling the input unless the user taps on a suggestion. Since the popup and that event are handled by native Java code, there's no way for the website to simulate that. I suppose the website could create some click-jacking attack by switching focus to an input before making a user tap somewhere, but that seems more difficult to execute.
Updated•12 years ago
|
blocking-fennec1.0: ? → -
Assignee | ||
Comment 7•12 years ago
|
||
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #6) > This will be fixed now by bug 736008, it seems. Yeah, turns out there were other issues with using a focus listener :) Resolving as WORKSFORME, since this isn't really a dupe of bug 736008, but fixed as a side effect of that patch.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Comment 8•12 years ago
|
||
Well, WORKSFORME is generally used for bugs that don't show the bug anymore, but for which we don't know what caused it to go away. But it doesn't really matter.
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•