autocomplete=off should yield a one-time informational dialog

Bug #38513 reported by Richard Laager
8
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Won't Fix
Medium
firefox (Ubuntu)
Won't Fix
Wishlist
Mozilla Bugs

Bug Description

I am perfectly capable of telling how secure my computer is. Firefox honors site designer's requests to not allow autocomplete (password saving) on a given form field. This is a bug, not a feature.

I read some rumors about banking sites threatening to block Firefox if it didn't honor autocomplete=off. Bowing to that pressure is unacceptable.

At the very least, there should be an option (even if it's hidden in about:config) to disable this behavior.

Also, if this behavior is going to be left, or there's going to be an option, it'd be nice if Firefox would pop-up a dialog the first time this happens:

"This site has requested that browsers not save form data (e.g. usernames, passwords, etc.).

[ ] Show this message when a site blocks autocompletion

[OK]"

Then, by default, users would see one warning about this. That way they'd know what the heck was going on instead of wondering (like I did) why Firefox isn't offering to save the password.

Tags: mt-confirm
Revision history for this message
In , Gavin Sharp (gavin-sharp) wrote :

I'm not sure I really understand the desire to have a hidden pref that makes people jump through hoops to override autocomplete=off when people who want to do this can already do it with a simple bookmarklet or extension. Using a bookmarklet is much simpler than using the functionality you propose (typing "YES", etc).

Revision history for this message
In , Riffer-vaxer (riffer-vaxer) wrote :

Bookmarketles and extensions are not native. They do not function with all websites. And it's relying on a 3rd party's development work.

As long as the Mozilla Foundation makes the mistake of believing that the Financial Industry understands IT security, this is a loss cause.

Revision history for this message
In , Gavin Sharp (gavin-sharp) wrote :

The impossibility of making this feature "native" is precisely the reason that bug 245333 was wontfixed. It's a trivial workaround for those who want to get around it.

Revision history for this message
In , Jruderman (jruderman) wrote :

I think allowing users to override autocomplete=off using the context menu is a good idea. I don't know whether it would cause financial institutions to blackmail us again, though.

Revision history for this message
Richard Laager (rlaager) wrote : Firefox should not honor autocomplete=off

I am perfectly capable of telling how secure my computer is. Firefox honors site designer's requests to not allow autocomplete (password saving) on a given form field. This is a bug, not a feature.

I read some rumors about banking sites threatening to block Firefox if it didn't honor autocomplete=off. Bowing to that pressure is unacceptable.

At the very least, there should be an option (even if it's hidden in about:config) to disable this behavior.

Also, if this behavior is going to be left, or there's going to be an option, it'd be nice if Firefox would pop-up a dialog the first time this happens:

"This site has requested that browsers not save form data (e.g. usernames, passwords, etc.).

[ ] Show this message when a site blocks autocompletion

[OK]"

Then, by default, users would see one warning about this. That way they'd know what the heck was going on instead of wondering (like I did) why Firefox isn't offering to save the password.

Revision history for this message
Carthik Sharma (carthik) wrote :

Users can use an extension to control behaviour. Upstreams says "wontfix" for the bug the user refers to, hence closing.

Please use an extension or bookmarklet to modify this behaviour according to your preference.

Thank you for reporting this.

Changed in firefox:
status: Unconfirmed → Rejected
Revision history for this message
Richard Laager (rlaager) wrote :

I disagree with the upstream bug resolution. That's probably not likely to change, though. I also think this is a place where the distro should step up and correct the upstream mistake. If site owners can determine which passwords can be stored, we're going to head towards a world where everyone thinks they should disable autocomplete, and password managers will be useless. Extensions and bookmarklets are not the answer. We don't want to start an "arms race" here.

That said... I would still like to see a dialog the first time this situation happens. I was really frustrated when the password saving didn't work for me. It took me quite a bit of searching to find the solution. I'm a "power" user. What is the average user supposed to do? Even if we're not going to give them an option to override the site's suggestion, we should at least inform them why their browser isn't following their preferences. If Firefox is offering to remember passwords on most sites, it's confusing for there to be some exceptions. Shall I file a new bug for this request, or can this one be reused?

Revision history for this message
Richard Laager (rlaager) wrote :

Requested this dialog upstream: 333080

Launchpad won't let me add a second upstream bug number.

Revision history for this message
Carthik Sharma (carthik) wrote :

Reopening bug per reporter's request.

Changed in firefox:
status: Rejected → Confirmed
Revision history for this message
Carthik Sharma (carthik) wrote :

Richard, I have reopened the bug.
I have also filed Bug #38528 regarding the inability to add more than one upstream bugwatch.

Let meput a link to the remote bug here, just in case:
https://bugzilla.mozilla.org/show_bug.cgi?id=333080

Revision history for this message
Ian Jackson (ijackson) wrote : Re: [Bug 38513] Firefox should not honor autocomplete=off

Richard Laager writes ("[Bug 38513] Firefox should not honor autocomplete=off"):
> I am perfectly capable of telling how secure my computer is. Firefox
> honors site designer's requests to not allow autocomplete (password
> saving) on a given form field. This is a bug, not a feature.

I'm inclined to agree. However, I'm afraid I don't consider this a
priority for Dapper. I'm sure upstream will be happy to accept a
patch that provides an about:config to override the site-specified
behaviour.

Ian.

Revision history for this message
Richard Laager (rlaager) wrote :

Upstream will not. At least two banks (Wells Fargo and Citibank) blocked Netscape 6 before because it didn't honor autocomplete=off. From the comments in the upstream bugs, it seems they would not accept having a user-option, even hidden, to allow the user to override autocomplete=off. They are concerned about somebody turning on password saving in an Internet cafe, it seems. That's really only a defensible position if the hypothetical attacker couldn't install an extension. I don't know if that'd be possible.

See Comment #17 on https://bugzilla.mozilla.org//show_bug.cgi?id=63961

In any case, if Ubuntu ships a Firefox with the proper behavior (from the user's perspective), then there are a couple scenarios:

1. If Ubuntu has a different user-agent string from other copies of Firefox. (I think it does put Ubuntu in there...):
        a. Banks block Ubuntu's Firefox. In this case, you could choose to change the user-agent string and move to #2.
        b. Banks don't notice/care and everything is good.

2. If Ubuntu uses the same user-agent string as Firefox in general.
        a. Banks don't block Firefox. Everything is good for Ubuntu users.
        b. Banks block Firefox because of the way Ubuntu compiles it. Lots of people will be mad at you.

On the one hand, I don't think the Mozilla folks should've given in to the banks' blackmail like that. However, I really don't want to see scenario 2b play out.

Revision history for this message
fubarbundy (launchpad-mailtic) wrote :

I read in that bug report about an #IFDEF that can be changed.. does anyone want to mention where it is on here so that people who want to recompile the deb can? :)

Changed in firefox:
status: Unconfirmed → Confirmed
Revision history for this message
In , Mozilla-bugs-2010-04 (mozilla-bugs-2010-04) wrote :

I actually think that Aleksey's suggestion is briliant. It addresses all of the possible security concerns: it is a hidden preference, that is enabled on a per-site basis, and requiring that the information be encrypted. I'd really like to see this implemented.

Revision history for this message
Alexander Sack (asac) wrote :

enqueue this for proper processing by mozillateam.

Changed in firefox:
assignee: nobody → mozilla-bugs
status: Confirmed → Needs Info
Revision history for this message
In , Mozilla-avbentem (mozilla-avbentem) wrote :

See also bug 333080 which suggest a on-time dialog (I think Aleksey's suggestion is better, either as a context menu of dialog, but at least not enabled by default).

Revision history for this message
Matthew Paul Thomas (mpt) wrote :

If it makes you feel any better, autocomplete="off" is vital to prevent interference by the browser's autocomplete menu whenever the Web site offers its own autocomplete menu. For example, Google Suggest uses it.

See also <http://www.whatwg.org/specs/web-forms/current-work/#the-autocomplete>.

Revision history for this message
In , Dolske (dolske) wrote :

I think a context menu for "No, Really, Please Work Like I'm Expecting" just isn't a good idea. It also doesn't work well -- the "fill in passwords" code has probably already run before you can bring up the menu at page load, and the "can this password be saved" code runs after Submit has already been clicked. Ugh. I don't think we're in a good state with autocomplete yet, but this isn't the answer.

Revision history for this message
In , Mozilla-bugs-2010-04 (mozilla-bugs-2010-04) wrote :

Note that you can bypass autocomplete=off with the method I describe here:
http://dotancohen.com/howto/firefox_password_manager.php

Revision history for this message
In , Mcicogni (mcicogni) wrote :

I cannot agree on a WONTFIX resolution, since there are already, at a minimum, two workarounds (i.e. the one proposed by comment 8 and a "Remember Password" bookmarklet than can be readily found by googling a bit) that do what the users need.

I agree that it does trade security for convenience, but until financial insitutions clean up their acts and start investing in security (instead of burdening their customers) things like this are just going to happen.

Changed in firefox:
status: Confirmed → Won't Fix
Revision history for this message
Alexander Sack (asac) wrote :

we follow upstream decision to not fix this bug.

Changed in firefox:
status: Incomplete → Won't Fix
Changed in firefox:
importance: Unknown → Wishlist
Changed in firefox:
importance: Wishlist → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.