New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 600101 link

Starred by 1 user
Status: Archived
Owner:
vabr@chromium.org
hobby only
Closed: Jul 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug



Sign in to add a comment

Passwords remembered for a particular DNS name are remembered and offered for other subdomains within the same domain

Reported by rafal.cz...@gmail.com, Apr 2 2016 
UserAgent: Mozilla/5.0 (X11; CrOS armv7l 7834.66.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.111 Safari/537.36
Platform: 7834.66.0 (Official Build) stable-channel daisy

Steps to reproduce the problem:
1. Log onto www.example.uni.ac.uk and let the password manager remember your password.
2. Log onto www.college.uni.ac.uk and log on with the same username (used throughout the campus) but with a different password - www.example and www.college are two distinct institutions which use different authentication mechanisms and the password are different.
3. The password manager suggests updating the password you had used for www.example to the one you have used in www.college - presumably due to the usernames matching.

What is the expected behavior?
Password manager should treat different subdomains within a corporation as distinct entities, even if usernames are the same.

What went wrong?
I can only user password remembered for one of the subdomains and have to always type the one for the second subdomain.

Did this work before? N/A 

Chrome version: 49.0.2623.111  Channel: stable
OS Version: 7834.66.0
Flash Version: Shockwave Flash 21.0 r0

Comment 1 by abodenha@chromium.org, Jun 7 2016

Labels: -OS-Chrome OS-All

Comment 2 by abodenha@chromium.org, Jun 7 2016

Components: -UI UI>Browser>Passwords

Comment 3 by vabr@chromium.org, Jun 8 2016

Labels: -Pri-2 Needs-Feedback Pri-3
Offering to use passwords from related fomains is working as intended. It is called "public suffix list matching" and it associated domains sharing the same public suffix [1].

Having said that, the matching usernames themselves do not mean that the passwords are going to be joined. I have no accounts on the domains you listed, but here is a sample workflow using our testing sites. Does that work differently on uni.ac.uk for you?

(1) Visit http://1.chromium-test1.appspot.com/testing/psl-matching/login, type in "username" and "password1", submit, save.
(2) Visit http://2.chromium-test1.appspot.com/testing/psl-matching/login, type in "username" and "password2", submit, save.
At this point, Chrome should have saved username/password1 for the first page and username/password2 for the second one. You can verify that by looking at chrome://settings/passwords and searching for "username".

Does the above work for you with the testing URLs? Does it work with uni.ac.uk?


[1] https://publicsuffix.org/

Comment 4 by rafal.cz...@gmail.com, Jun 8 2016 

Hi vabr@

Yes, I can confirm that this works as expected. I *think* what the actual problem is the sub-domain "level", i.e. in your example the domain is appspot.com so 1.chromium-test1.appspot.com and 2.chromium-test1.appspot.com are "two levels up".

AFAIK .ac.uk domains, similarly to .co.uk are treated as TLDs so they are on the same "level" as .com - maybe even uni.ac.uk is treated in a "special" way, who knows?

Could you prepare two more test sites, i.e. chromium-test2.appspot.com and chromium-test3.appspot.com, please?

BTW, uni.ac.uk is does not exist - I use "uni" here instead of the actual domain name of one of UK's universities.

Thanks for looking into this.

rjc
Project Member

Comment 5 by sheriffbot@chromium.org, Jun 8 2016

Labels: -Needs-Feedback Needs-Review
Owner: vabr@chromium.org
Thank you for providing more feedback. Adding requester "vabr@chromium.org" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by vabr@chromium.org, Jun 8 2016

Labels: -Needs-Review Needs-Feedback
Hi rjc,

Sorry for my incorrect use of terms in #3 -- you are correct to observe that not sharing the public suffix, but the public suffix + one more part of the domain name is required.

So indeed, in case of 1.chromium-test1.appspot.com and 2.chromium-test1.appspot.com the public suffix is appspot.com, and because they share one more part before that (chromium-test1), they are considered owned by the same entity, so passwords on those are considered associated.

We also have http://chromium-test2.appspot.com/testing/psl-matching, saving a password there won't share it with the chromium-test1.appspot.com domains, because those only share the bare public suffix.

In the case of UK academic institutions, Chrome will offer to link passwords for anything which shares one part above ac.uk (this includes your examples from #0).

So in what you describe, the PSL matching should apply by design. But it should not stop you from storing two separate passwords (even with the same username) on each of the domains -- see steps in #3. In addition, once you save a password on, say, www.example.uni.ac.uk, Chrome will no longer offer to fill passwords from related domains there.

Does that above work for you?

Thanks,
Vaclav
Project Member

Comment 7 by sheriffbot@chromium.org, Jul 9 2016

Status: Archived (was: Unconfirmed)
No feedback was received in the last 30 days from reporter "rafal.czlonka@gmail.com", so archiving this. Please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment