New issue
Advanced search Search tips

Issue 777600 link

Starred by 2 users
Status: Fixed
Owner:
rogerm@chromium.org
Closed: Oct 2017
Cc:
se...@chromium.org
mac-bugs-priority@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Mac
Pri: 1
Type: Bug-Regression



Sign in to add a comment

Credit card autofill is filling in unnamed inputs with credit card number.

Reported by miche...@stripe.com, Oct 23 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. go to https://jsfiddle.net/mchl/9n8ujz7j/23/
2. use browser autofill to fill in the credit card input
3. additional, unmarked inputs are filled in (see: `.StripeField--fake` inputs)

What is really strange is that when we serve the exact same application on a different domain, instead of js.stripe.com, this behavior does not appear:
1. go to https://jsfiddle.net/mchl/9n8ujz7j/24/
2. use browser autofill to fill in the credit card input
3. additional, unmarked inputs are NOT filled in!

We've diffed the production builds in question and there is no difference, except for the URL. (See diffs in next section.) We could also not reproduce this issue in local builds.

What is the expected behavior?

What went wrong?
The non-credit-card-number input gets a credit card number filled in.

Did this work before? Yes We can reproduce this on 60, 61, and 62 starting this morning. It seems more like some sort of feature flag that was turned on?

Does this work in other browsers? Yes

Chrome version: 61.0.3163.100  Channel: n/a
OS Version: OS X 10.12.6
Flash Version: 

We chatted about this briefly with Jarred and Kumar at CDS today. Our thought: could js.stripe.com be whitelisted into some special behavior wrt autofill?
diff1.png
739 KB View Download
diff2.png
579 KB View Download
Screen Shot 2017-10-23 at 2.53.17 PM.png
825 KB View Download

Comment 1 by ligim...@chromium.org, Oct 23 2017

Labels: Needs-Triage-M61

Comment 2 by tkent@chromium.org, Oct 24 2017

Components: -Blink>Forms UI>Browser>Autofill

Comment 3 by miche...@stripe.com, Oct 24 2017 

Some more data points: I was able to reproduce this issue with a build of Stripe.js from October 1, which definitely did not have this issue at that time: https://jsfiddle.net/mchl/zymuu7to/3/

We saw our first user report of this issue this morning at 11:36 AM PT: https://twitter.com/HenrikJoreteg/status/922532151526023169

Comment 4 by ma...@chromium.org, Oct 24 2017

Labels: -Pri-2 Pri-1
Owner: rogerm@chromium.org
Status: Assigned (was: Unconfirmed)
Thank you Michelle! This version of chrome has been out for a while, we will verify what could be the problem.

Comment 5 by ma...@chromium.org, Oct 24 2017

Cc: se...@chromium.org
Hi Michelle, 

I narrowed down the issue to two fake fields around the actual input field. See the screenshot**. In my DOM, there's one above and below the actual field. Autofill gets confused. 

On those fake fields that should never be autofilled, can you put autocomplete="fake" instead of autocomplete="off"? Let me know if that's a possibility and whether it would fix the issue. autocomplete="off" has been disregarded for a while. 

Second question, is the Stripe form always embedded in an iframe? 

** You'll see that my DOM contains more information, because I've turned on chrome://flags#show-autofill-type-predictions
Screen Shot 2017-10-24 at 8.28.18 AM.png
111 KB View Download

Comment 6 by miche...@stripe.com, Oct 24 2017 

Oh, that's an awesome Chrome flag!

Thanks for the tip about `autocomplete="fake"` -- we'll go ahead use that instead for all of our fake inputs.

Yes, Stripe.js inputs are always embedded in an iframe, for PCI reasons :).

Comment 7 by ma...@chromium.org, Oct 26 2017

Status: ExternalDependency (was: Assigned)
I'll close this bug as the issue was resolved. Thanks Michelle and sorry for the problems.

Comment 8 by ma...@chromium.org, Oct 26 2017

Status: Fixed (was: ExternalDependency)

Sign in to add a comment