Password manager shouldn't autofill into username fields with inappropriate @autocomplete values
Categories
(Toolkit :: Password Manager, defect, P2)
Tracking
()
People
(Reporter: craig, Assigned: sfoster)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [passwords:heuristics])
User Story
* The following `autocomplete` field names should be valid for username fields: ** "username" ** "email" (added in bug 1540154) ** "tel" (added in bug 1540154) ** "tel-national" (added in bug 1540154) ** "off" ** "on" ** "" Use the API `usernameField.getAutocompleteInfo().fieldName` to get proper parsing. We can probably do this check in `LoginHelper.isUsernameFieldType`
Attachments
(1 file)
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 4•12 years ago
|
||
Comment 6•11 years ago
|
||
Updated•11 years ago
|
Updated•10 years ago
|
Comment 7•10 years ago
|
||
Updated•10 years ago
|
Comment hidden (off-topic) |
Comment 10•10 years ago
|
||
Comment 11•10 years ago
|
||
Comment 12•10 years ago
|
||
Comment 13•10 years ago
|
||
Comment 14•10 years ago
|
||
Comment 15•10 years ago
|
||
Comment 16•10 years ago
|
||
Comment 17•10 years ago
|
||
Comment 18•10 years ago
|
||
Updated•9 years ago
|
Comment 20•7 years ago
|
||
Comment 21•6 years ago
|
||
We're going to look into this soon. It's complicated because we can't blindly trust @autocomplete.
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 22•6 years ago
|
||
Updated•6 years ago
|
Comment 24•6 years ago
|
||
Comment 25•6 years ago
|
||
Backed out for failures on /test_autofill_autocomplete_types.html
backout: https://hg.mozilla.org/integration/autoland/rev/d4e6ec91e2c3f2d26205485b74e15e5320c728d2
failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=232779138&repo=autoland&lineNumber=2354
[task 2019-03-08T22:52:49.862Z] 22:52:49 INFO - 403 INFO TEST-START | toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html
[task 2019-03-08T22:53:00.085Z] 22:53:00 INFO - 404 INFO TEST-OK | toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html | took 11371ms
[task 2019-03-08T22:53:00.087Z] 22:53:00 INFO - 405 INFO TEST-START | Shutdown
[task 2019-03-08T22:53:00.088Z] 22:53:00 INFO - 406 INFO Passed: 25
[task 2019-03-08T22:53:00.088Z] 22:53:00 INFO - 407 INFO Failed: 0
[task 2019-03-08T22:53:00.088Z] 22:53:00 INFO - 408 INFO Todo: 0
[task 2019-03-08T22:53:00.088Z] 22:53:00 INFO - 409 INFO Mode: non-e10s
[task 2019-03-08T22:53:00.090Z] 22:53:00 INFO - 410 INFO Slowest: 11371ms - /tests/toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html
[task 2019-03-08T22:53:00.091Z] 22:53:00 INFO - 411 INFO SimpleTest FINISHED
[task 2019-03-08T22:53:01.710Z] 22:53:01 INFO - Failed to get top activity, retrying, once...
[task 2019-03-08T22:54:51.620Z] 22:54:51 INFO - 412 INFO TEST-UNEXPECTED-FAIL | unknown test url | uncaught exception - TypeError: SimpleTest.harnessParameters is undefined at SimpleTest_setTimeoutShim@https://example.com/tests/SimpleTest/SimpleTest.js:669:17
[task 2019-03-08T22:54:51.620Z] 22:54:51 INFO - add_task@https://example.com/tests/SimpleTest/AddTask.js:30:7
[task 2019-03-08T22:54:51.620Z] 22:54:51 INFO - @https://example.com/tests/toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html:79:1
[task 2019-03-08T22:54:51.620Z] 22:54:51 INFO - simpletestOnerror@https://example.com/tests/SimpleTest/SimpleTest.js:1665:24
[task 2019-03-08T22:54:57.196Z] 22:54:57 INFO - 413 INFO TEST-UNEXPECTED-FAIL | | /tests/toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html - finished in a non-clean fashion, probably because it didn't call SimpleTest.finish()
[task 2019-03-08T22:54:57.197Z] 22:54:57 INFO - {u'loaded_test_url': u'/tests/toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html'}
[task 2019-03-08T22:54:57.197Z] 22:54:57 INFO - 414 INFO TEST-UNEXPECTED-ERROR | | Finished in 13144ms
[task 2019-03-08T22:54:57.197Z] 22:54:57 INFO - {u'runtime': 13144}
[task 2019-03-08T22:54:57.197Z] 22:54:57 INFO - TEST-INFO
[task 2019-03-08T22:54:57.197Z] 22:54:57 INFO - 415 INFO SimpleTest START
[task 2019-03-08T22:54:57.197Z] 22:54:57 INFO - 416 INFO TEST-START | toolkit/components/passwordmgr/test/mochitest/test_autofill_autocomplete_types.html
[task 2019-03-08T22:55:09.541Z] 22:55:09 INFO - Failed to get top activity, retrying, once...
[task 2019-03-08T22:55:09.957Z] 22:55:09 INFO - wait for org.mozilla.fennec_aurora complete; top activity=com.android.launcher
[task 2019-03-08T22:55:10.163Z] 22:55:10 INFO - remoteautomation.py | Application ran for: 0:03:27.098337
[task 2019-03-08T22:55:10.885Z] 22:55:10 INFO - Stopping web server
[task 2019-03-08T22:55:10.889Z] 22:55:10 INFO - Stopping web socket server
[task 2019-03-08T22:55:10.910Z] 22:55:10 INFO - Stopping ssltunnel
[task 2019-03-08T22:55:10.931Z] 22:55:10 INFO - leakcheck | refcount logging is off, so leaks can't be detected!
[task 2019-03-08T22:55:10.931Z] 22:55:10 INFO - runtests.py | Running tests: end.
[task 2019-03-08T22:55:11.764Z] 22:55:11 INFO - Buffered messages logged at 22:54:58
[task 2019-03-08T22:55:11.764Z] 22:55:11 INFO - 417 INFO TEST-START | Shutdown
Assignee | ||
Comment 26•6 years ago
|
||
Thanks for the backout :nataliaCs. I thought my try push was clean on Android 4.3 API16, but looking again I see the same failure there: https://treeherder.mozilla.org/#/jobs?repo=try&revision=c1564d10b11abac062b123267ad0df8bea4fc48c
Comment 27•6 years ago
|
||
Comment 28•6 years ago
|
||
bugherder |
Comment 29•6 years ago
•
|
||
Using the STR from comment 0, this issue was fixed; However, If we were to use some test pages with username fields that have autocomplete= "anything but the valid values", then the username fields will get auto-filled. Is this intended? Does this cover this bug's verification?
Failing test page:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
</head>
<body>
<form method="POST" action="./">
<h1>Username field has autocomplete=ersahusername</h1>
<p>
<label>User: <input type="text" autocomplete="ersahusername"></label>
</p>
<p>
<label>Password: <input type="password" name="password"></label>
</p>
<p>
<input type="submit" value="Login">
</p>
</form>
</body>
</html>
Assignee | ||
Comment 30•6 years ago
|
||
That is my understanding of the spec, yes. An invalid autocomplete attribute should get our default behavior - which is to autofill.
Comment 31•6 years ago
|
||
Yes, Sam is correct that the behaviour is intended.
If you saw improvements comparing before and after the patch then that would be enough for verification. The easiest way to verify would be to load a test page that has an address field with its @autocomplete value immediately before a password field when you have a saved login containing a username and password field. The address field shouldn't be filled anymore.
Comment 32•6 years ago
|
||
Considering comment 31, the STR found in comment 0 is now invalid because the registration page has changed. Do you know of any other test page that has the needed requirements?
If I were to build a test page, when using the test page from comment 9 with the addition of the autocomplete="last-name" in the field before the password field, mentioned in comment 12, like so:
<form>
<input type='text' name='username'>
<input type='text' name='firstname'>
<input type='text' name='lastname' autocomplete="family-name">
<input type='password' name='pw' autocomplete='off'>
</form>
the field with the autocomplete="last-name" attribute will NOT be autofilled; however, the field before that one (the first-name field) will get autofilled with the username saved in the Password Manager. The old behavior is still observable on builds before the patch. I understand that this is still intended. Please confirm?
Updated•6 years ago
|
Comment 33•6 years ago
|
||
(In reply to Bodea Daniel [:danibodea] from comment #32)
Considering comment 31, the STR found in comment 0 is now invalid because the registration page has changed. Do you know of any other test page that has the needed requirements?
I don't know any off-hand but the ones you manually create are fine.
If I were to build a test page, when using the test page from comment 9 with the addition of the autocomplete="last-name" in the field before the password field, mentioned in comment 12, like so:
<form>
<input type='text' name='username'>
<input type='text' name='firstname'>
<input type='text' name='lastname' autocomplete="family-name">
<input type='password' name='pw' autocomplete='off'>
</form>
the field with the autocomplete="last-name" attribute will NOT be autofilled; however, the field before that one (the first-name field) will get autofilled with the username saved in the Password Manager. The old behavior is still observable on builds before the patch. I understand that this is still intended. Please confirm?
Yes, that's intended. All we're doing is ignoring valid @autocomplete values which aren't the ones listed in the user story. We will keep searching earlier in the form to find an eligible username field if an ineligible one is found.
Updated•6 years ago
|
Comment 34•6 years ago
|
||
Considering all the above, I will mark this bug as VERIFIED. Thank you.
Updated•6 years ago
|
Description
•