Form Not Secure warning does not appear when focus changed by Tab key |
||||
Issue descriptionChrome Version: 58.0.2999 What steps will reproduce the problem? Visit http://http-credit-card.badssl.com/ or http://http-login.badssl.com/ with the Form Not Secure onfield warning enabled. Observe: "Payment Not Secure" and "Login Not Secure" warnings don't appear as you tab through the form. The warnings do appear if you click into nodes. Expect: Warnings appear when nodes are focused by tab. A naive fix here is to update AutofillAgent::FocusedNodeChanged with a call to ShowSuggestions at the end (with a similar change for the PasswordAutofillAgent, but this is problematic in a number of ways. First, it doesn't seem to handle the case where the form field is focused by default. Secondly, if you navigate "Back" to the page, the warning appears in the wrong location on the screen (likely for the same reason that the FNS-on-page-load behavior was reverted).
,
Feb 2 2017
> Could it be sufficient to popup the warning when the user types > or double-clicks on the field (basically triggering autofill)? That's nearly the way that it works today. It's arguably "good enough" (and I think what's likely to ship for M-57) but it doesn't match Firefox and there are some concerns from other Chromium browsers that it would be better if Tab triggered the same behavior as mouse click-induced focus. (Chrome's current behavior matrix is a little odd; it varies between password inputs and credit card inputs and based on whether you have stored values or not).
,
Feb 3 2017
One major concern with the current behaviour is that it offers little-to-no protection when a user pastes passwords. Imagine copy & paste from an email, or a scrapbook of passwords. Type username, Tab, Ctrl+V, Enter. By the time the user sees the warning, it is already too late and the password has been exposed to the page, or if the user presses Enter it may even be sent over HTTP before the user notices the warning. (Similarly, it offers little protection for users who cannot touch-type, as they will not see the warning while staring at their keyboard.)
,
Feb 7 2017
Issue 689215 has been merged into this issue.
,
Feb 7 2017
,
Nov 10 2017
,
Nov 10 2017
We decided not to launch this feature. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ma...@chromium.org
, Feb 2 2017