Closed Bug 735734 Opened 12 years ago Closed 12 years ago

Form autocomplete popup shows up on focus

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
ARM
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(blocking-fennec1.0 -)

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
blocking-fennec1.0 --- -

People

(Reporter: martijn.martijn, Assigned: Margaret)

References

Details

I noticed 730478, comment 10:
"
(In reply to Chris Peterson (:cpeterson) from comment #9)

> On my Galaxy S II, autocomplete seems to work correctly, though I get an
> unfiltered autocomplete box with all possible suggestions *before* I type
> anything. I don't expect the suggestion list until after I start typing.

The unfiltered list is by design. We want "less typing", so we show the list right away.
"

This might have security implications, see for instance bug 270697.
When autocomplete popups appear on focus, it is very easy to steal form autocomplete data.
Summary: Form autocomplete popup shows up on autocomplete → Form autocomplete popup shows up on focus
Here you can enter some autocomplete entries by filling in the input and submitting.
http://people.mozilla.org/~mwargers/tests/forms/autocomplete_forms/autofocus_input.html

Then load this url:
http://people.mozilla.org/~mwargers/tests/forms/autocomplete_forms/autofocus_inputs_multiple.html

The form autocomplete popup moves over all over the place here.
blocking-fennec1.0: --- → ?
We actively decided to make the suggestion list appear when the user taps on the input, so it seems switching from a focus listener to a click would listener fix the "popup moves all over the place" problem.

As for the security threat, we only listen for click events on the native popup to fill the element with a autocomplete suggestion value, so I don't think there's a way for a malicious website to get at these suggestions (there's no "pressing the down arrow" to scroll through suggestions).
Assignee: nobody → margaret.leibovic
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #1)

> Then load this url:
> http://people.mozilla.org/~mwargers/tests/forms/autocomplete_forms/
> autofocus_inputs_multiple.html

Thinking about this bug more, I think this is a pretty unrealistic testcase.

Also, if a field is already focused, a user is most likely going to start typing, not tap on the input to try to make suggestions appear, so I think showing the suggestions on focus is better than on tap. I think it's more common that a website will give focus to an input field the user is about to fill out, than for a website randomly giving focus to different input elements, so I think what we did in bug 711177 is correct. Given that there isn't a security threat, I think we should WONTFIX this bug.
And there is no security problem here? Desktop Firefox doesn't show form autocomplete popup by untrusted web content for a reason.
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #4)
> And there is no security problem here? Desktop Firefox doesn't show form
> autocomplete popup by untrusted web content for a reason.

I believe the security concern on desktop (at least from bug 270697) was that the website could see the suggestions because we used to fill the input box as the user used the keyboard to scroll through the suggestions. This isn't a problem with fennec since we we're not filling the input unless the user taps on a suggestion. Since the popup and that event are handled by native Java code, there's no way for the website to simulate that.

I suppose the website could create some click-jacking attack by switching focus to an input before making a user tap somewhere, but that seems more difficult to execute.
blocking-fennec1.0: ? → -
This will be fixed now by bug 736008, it seems.
Depends on: 736008
(In reply to Martijn Wargers [:mw22] (QA - IRC nick: mw22) from comment #6)
> This will be fixed now by bug 736008, it seems.

Yeah, turns out there were other issues with using a focus listener :)

Resolving as WORKSFORME, since this isn't really a dupe of bug 736008, but fixed as a side effect of that patch.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Well, WORKSFORME is generally used for bugs that don't show the bug anymore, but for which we don't know what caused it to go away. But it doesn't really matter.
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.