New issue
Advanced search Search tips

Issue 688008 link

Starred by 4 users
Status: WontFix
Owner: ----
Closed: Nov 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 3
Type: Bug


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

Form Not Secure warning does not appear when focus changed by Tab key

Project Member Reported by elawrence@chromium.org, Feb 2 2017 
Chrome Version: 58.0.2999

What steps will reproduce the problem?
Visit http://http-credit-card.badssl.com/ or http://http-login.badssl.com/ with the Form Not Secure onfield warning enabled.

Observe: "Payment Not Secure" and "Login Not Secure" warnings don't appear as you tab through the form. The warnings do appear if you click into nodes.

Expect: Warnings appear when nodes are focused by tab.

A naive fix here is to update AutofillAgent::FocusedNodeChanged with a call to ShowSuggestions at the end (with a similar change for the PasswordAutofillAgent, but this is problematic in a number of ways. First, it doesn't seem to handle the case where the form field is focused by default. Secondly, if you navigate "Back" to the page, the warning appears in the wrong location on the screen (likely for the same reason that the FNS-on-page-load behavior was reverted).

Comment 1 by ma...@chromium.org, Feb 2 2017 

Could it be sufficient to popup the warning when the user types or double-clicks on the field (basically triggering autofill)? 

I'm wary of doing a fundamental change to our logic.

Comment 2 by elawrence@chromium.org, Feb 2 2017 

> Could it be sufficient to popup the warning when the user types 
> or double-clicks on the field (basically triggering autofill)? 

That's nearly the way that it works today. It's arguably "good enough" (and I think what's likely to ship for M-57) but it doesn't match Firefox and there are some concerns from other Chromium browsers that it would be better if Tab triggered the same behavior as mouse click-induced focus.

(Chrome's current behavior matrix is a little odd; it varies between password inputs and credit card inputs and based on whether you have stored values or not).

Comment 3 by tarqui...@opera.com, Feb 3 2017 

One major concern with the current behaviour is that it offers little-to-no protection when a user pastes passwords. Imagine copy & paste from an email, or a scrapbook of passwords.

Type username, Tab, Ctrl+V, Enter. By the time the user sees the warning, it is already too late and the password has been exposed to the page, or if the user presses Enter it may even be sent over HTTP before the user notices the warning.

(Similarly, it offers little protection for users who cannot touch-type, as they will not see the warning while staring at their keyboard.)

Comment 4 by est...@chromium.org, Feb 7 2017 

Issue 689215 has been merged into this issue.

Comment 5 by mea...@chromium.org, Feb 7 2017

Labels: OS-All
Status: Available (was: Untriaged)

Comment 6 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 7 by est...@chromium.org, Nov 10 2017

Status: WontFix (was: Available)
We decided not to launch this feature.

Sign in to add a comment