New issue
Advanced search Search tips

Issue 649507 link

Starred by 3 users

Issue metadata

Status: Archived
Owner: ----
Closed: Nov 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

allow users specify origin for password manager

Project Member Reported by auh@google.com, Sep 22 2016

Issue description

Some websites designate authentication realms in ways that do not conform to same origin policy root lists.

An example of this is libraryreserve.com which uses a subdomain for each library eg:
nypl.libraryreserve.com
brooklyn.libraryreserve.com

This is problematic for users who have multiple accounts as the autoselection may be incorrect.

Please allow users to override the origin data to include additional dns labels beyond the expected root origin.
 

Comment 1 by shrike@chromium.org, Sep 22 2016

Components: UI>Browser>Passwords
Labels: -Pri-3 OS-Linux OS-Windows Pri-2
Project Member

Comment 2 by sheriffbot@chromium.org, Sep 23 2016

Labels: Hotlist-Google

Comment 3 by vabr@chromium.org, Sep 27 2016

Labels: Needs-Feedback
I'm not sure if I understand the concern. Could you please elaborate on what issues does the user with multiple accounts see?

Chrome uses public suffix matching: it recognises that nypl.libraryreserve.com and brooklyn.libraryreserve.com are owned by the same entity, so it relaxes the separation between passwords stored for these two origins. An example of this behaviour is:
1. The user stores card number 123 and password xyz on nypl.libraryreserve.com.
2. The user visits brooklyn.libraryreserve.com and starts typing 123 into the card number field.
3. Chrome offers to fill also "xyz" from nypl.libraryreserve.com.
4. However, the user can still override that suggestion and type "anotherpassword" into the password field of brooklyn.libraryreserve.com.
5. Chrome offers to save 123/anotherpassword for brooklyn.libraryreserve.com, and once the user accepts, Chrome will fill 123/anotherpassword on brooklyn.libraryreserve.com, 123/xyz on nypl.libraryreserve.com, and will not offer filling cross-origin in the future on these two origins (as long as the user keeps the above credentials stored).

Side note: This can be tested with http://1.chromium-test1.appspot.com/testing/psl-matching/login and http://2.chromium-test1.appspot.com/testing/psl-matching/login
auh@, could you please update as per c#3? in case if the issue still exists?

Thank you!
Project Member

Comment 5 by sheriffbot@chromium.org, Nov 14 2016

Status: Archived (was: Unconfirmed)
No feedback was received in the last 30 days from reporter "auh@google.com", so archiving this. Please re-open or file a new bug if this is still an issue.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment