Don't autofill logins in frames that are not same-origin with top-level page
Categories
(Toolkit :: Password Manager, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox83 | --- | verified |
People
(Reporter: causeless, Assigned: bdanforth)
References
(Blocks 2 open bugs)
Details
(Keywords: privacy, sec-low, Whiteboard: [security:passwords][adv-main83+])
Attachments
(3 files)
Comment 2•12 years ago
|
||
Comment 3•12 years ago
|
||
Updated•6 years ago
|
Updated•5 years ago
|
Comment 7•4 years ago
•
|
||
To fix the dFPI tracking vulnerability described in Bug 1658078 we'd need to ensure that no part of credentials are autofilled (not just password).
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 8•4 years ago
|
||
Updated•4 years ago
|
Assignee | ||
Comment 9•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 10•4 years ago
|
||
Comment 11•4 years ago
|
||
bugherder |
Assignee | ||
Comment 12•4 years ago
|
||
QA Test Instructions
Note: If the second patch has not landed yet, you can still QA this feature, as the second patch contains test-only changes. Hopefully it will land in the next few days.
- In a new profile in Firefox 83, go to
about:logins
. - Click Create New Login and create a login for:
- Enter https://bugs.mattn.ca for the website address field.
- Enter a fake username for the username field.
- Enter a fake password for the password field.
- Click Save.
- Go to https://bugs.mattn.ca/pwmgr/login_and_change_form.html.
- Observe that the login you created for the origin https://bugs.mattn.ca is autofilled into the form in the "Login form:" section, among others.
- Go to https://mozilla.github.io/form-fill-examples/password_manager/form_with_iframe.html.
- Observe that the login you created for the origin https://bugs.mattn.ca is not autofilled into the https://bugs.mattn.ca/pwmgr/login_and_change_form.html page loaded into the iframe (in the "Login form:" section or anywhere else).
- To the extent that you can find other login pages that allow being loaded in iframes (i.e. their X-Frame-Options header is not set), you can change the
src
attribute for the iframe in the page using Firefox's DevTools.
Comment 13•4 years ago
|
||
Comment 14•4 years ago
|
||
bugherder |
Comment 15•4 years ago
|
||
Reproduced the issue on affected Release 81.0.2 on Windows 10 x64.
Verified-fixed on latest Nightly 83.0a1 (2020-10-18) (64-bit) on Windows 10, MacOS 10.15 and Ubuntu 16.04 with the following expected result:
The login you created for the origin https://bugs.mattn.ca is not autofilled into the https://bugs.mattn.ca/pwmgr/login_and_change_form.html page loaded into the iframe (in the "Login form:" section or anywhere else).
However, would like to clear things up a bit before marking this as verified.
On the https://bugs.mattn.ca/pwmgr/login_and_change_form.html all the "Login form:" section should be auto-filled in ALL the areas involving Shadow Root? We have:
- Inside a single Shadow Root -> this gets autofilled only on Windows 10 (on macOS and Ubuntu is no longer autofilled in Nightly, works on Beta and Release, could this be a regression?)
- Form contents inside a Shadow Root -> is never auto-filled on any of the OS and Firefox versions
Please take a look at this when you have the time Bianca, will do mozregression in the meantime on MacOS and see what exactly introduced the different behavior.
Comment 16•4 years ago
•
|
||
Apparently, there were some caching issues going on for me, mozregression didn't reproduce this at all. A couple of page refreshes solved this and it is no longer reproducible with new Firefox profiles either. So ignore point 1, but do let me know about point 2.
Sorry for all the fuzz Bianca
Assignee | ||
Comment 17•4 years ago
|
||
Hi Timea; thanks for testing this.
I should have mentioned that this patch is unrelated to the Shadow DOM work, and consequently, Shadow DOM scenarios are out of scope for this bug.
In general, most Password Manager features do not work at all with Shadow DOM; fixing that is being tracked by Bug 1629226.
The test page is a general purpose test page that I am borrowing for convenience. Ideally I could have used a simple login form page (with a single form, like the one in the "Login form" section) to load into the iframe to avoid confusion, but this is the only page I found that didn't have the prohibitive X-Frame-Options
header.
Comment 18•4 years ago
|
||
Thanks for clearing things out Bianca! Marking this as verified-fixed as per Comment 15 and Comment 17.
Updated•4 years ago
|
Updated•4 years ago
|
Comment 19•4 years ago
|
||
Updated•2 years ago
|
Description
•