[MGNLUI-3827] Add user may pre-fill dialog with browser-saved user credentials (Firefox) Created: 23/Mar/16  Updated: 11/Mar/21  Resolved: 11/Mar/21

Status: Closed
Project: Magnolia UI
Component/s: security app
Affects Version/s: 5.4.5, 5.4.7
Fix Version/s: None

Type: Bug Priority: Neutral
Reporter: Mikaël Geljić Assignee: Unassigned
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Firefox 44.0.2


Attachments: PNG File security-add-user.png    
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[ ]* Steps to reproduce, expected, and actual results filled
[ ]* Affected version filled
Date of First Response:

 Description   

In the Security app, hitting the "add user" action opens the dialog, with "superuser" (or current user, I don't know) pre-filled in the user name field, same for the first password field...


Cannot reproduce on Chrome, could this be Firefox-only, interfering with saved passwords??!



 Comments   
Comment by Tom Wespi [ 23/Mar/16 ]

Are you sure those values are not added by your browser? I just tested this with a fresh 5.4.5 and cannot reproduce it.

Comment by Mikaël Geljić [ 23/Mar/16 ]

Yeah, looks like there's something fishy from the browser indeed; question is whether others may run into that, under similar conditions?

Comment by Mikaël Geljić [ 23/Mar/16 ]

Awesome:

  • Long time ago, Firefox 3 introduced their "new" password manager, where they basically decided to ignore field-names (and make such wild-guesses)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=499223

    The unfortunate side effect of this is that sometimes the login manager can fill a login into a form where it's not wanted. From the password manager's point of view it looks just like a login form, but it doesn't know the actual context of the form. [...] Due to the inherent ambiguities in form-based logins, there's an unavoidable tradeoff here between making the password manager work on lots of sites, and having it match the behavior of the old FF2 password manager (which checked field names). We've chosen to go with better functionality in the new password manager.

  • Back then, they advertised several workarounds too, one was setting autocomplete="off", which we actually do not use, as far as I could see
  • Until they decided to drop just that in Firefox 38 - https://www.mozilla.org/en-US/firefox/38.0/releasenotes/
  • So this leaves us with other ugly workarounds to try out

So I'm kinda puzzled why I'm facing that only now; has it been a known issue for that long? anyway...

Comment by Philip Mundt [ 05/Jul/16 ]

Can reproduce this on the demo instance using Firefox 47.

Generated at Mon Feb 12 09:10:29 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.