New issue
Advanced search Search tips

Issue 770185 link

Starred by 1 user
Status: Duplicate
Merged: issue 616343
Owner: ----
Closed: Oct 25
Cc:
battre@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 770184



Sign in to add a comment

Chase pre-populates login ID in verification step

Project Member Reported by battre@chromium.org, Sep 29 2017 
https://chaseonline.chase.com has a verification process which sends a temporary identification code by email. You have to enter that code in a verification step.

The screenshot shows that the username is filled into the field that should get the code.
image.png
104 KB View Download

Comment 1 by battre@chromium.org, Sep 29 2017

Components: UI>Browser>Passwords
Can anybody comment whether you see a chance to fix this? It looks really hard to distinguish this form from a login form.

This gets harder because we don't ping the autofill service for this type of form. Could the site use autocomplete attributes to make the password manager do the right thing?

Comment 2 by vabr@chromium.org, Oct 18 2017

Labels: Hotlist-Polish
Status: Available (was: Untriaged)
The site could present a hidden/readonly field annotated with autocomplete=username with the correct username value. I'm not completely up to date on Chrome's heuristics about hidden fields, though, so not sure if we would ignore a hidden field even if it were annotated.

There does not seem to be an autocomplete attribute value to mark an OTP [1], and the "off" value is ignored for good reasons [2].

Overall, I'm not sure if bundling the password without username with other data input for reauth is the best option. Looking at myaccount.google.com for inspiration, I see the sensitive sections (like settings for 2FA) behind a short-scoped reauth, which is just the normal accounts.google.com login (with username present but filled by the site in most cases). While it does mean two submits for the user instead of just one as here, this is barely a difference compared to typing the OTP.


[1] https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofilling-form-controls%3A-the-autocomplete-attribute
[2] https://dev.chromium.org/Home/chromium-security/security-faq#TOC-Why-does-the-Password-Manager-ignore-autocomplete-off-for-password-fields-
Project Member

Comment 3 by sheriffbot@chromium.org, Oct 18

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 4 by vabr@chromium.org, Oct 22

Status: Available (was: Untriaged)
IIUC, we will start getting server hints for small password forms soon as well. This might help fixing this issue by specifying no username. However, we also did a conflicting change in r571937, which might meant that server hints would not help here. Not sure if this kind of issue is frequent enough to warrant an additional complexity in the form parser.

Comment 5 by nepper@chromium.org, Oct 25

Cc: -epowers@chromium.org battre@chromium.org
Dominic, is this still reproducible?

Comment 6 by nepper@chromium.org, Oct 25

Mergedinto: 616343
Status: Duplicate (was: Available)

Sign in to add a comment