New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 820663 link

Starred by 1 user
Status: Duplicate
Merged: issue 838309
Owner:
battre@chromium.org
Closed: May 2018
Cc:
krajshree@chromium.org
sindhu.chelamcherla@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Mac
Pri: 2
Type: Bug



Sign in to add a comment

autocomplete="new-password" doesn't disable "use password for"

Reported by brackets...@gmail.com, Mar 10 2018 
UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.186 Safari/537.36

Steps to reproduce the problem:
1. Go to any website that remembers your account credentials
2. Enter any username
3. Inspect the password element
4. Add or modify the attribute "auto-complete" so that it has a value of "new-password", if it does not already.
5. Double-click the password field, you'll see options to use an existing password

What is the expected behavior?
In past versions of Chrome, autocomplete="new-password" didn't show this drop-down which is desired.

What went wrong?
In recent versions of Chrome, autocomplete="new-password" does show "Use Password For".

Did this work before? N/A 

Chrome version: 64.0.3282.186  Channel: n/a
OS Version: 10.0
Flash Version: 

I have a problem with the concept of "Use Password For" in itself. Consider this scenario.

If someone saves their password in Chrome, and I logged into their account with a saved password, I could cause a cascade of changes that asking for a password no longer prevents because the user can just "Use Password For" and circumvent the password.

I have no problem with autofilling passwords for a matching username if the user has so chosen but I think "Use Password For" is harmful to website security.

Because things are easily changed with Inspect-Element, there's not even an attribute or such that could be set to situationally disable Use Password For.

Comment 1 by krajshree@chromium.org, Mar 11 2018

Labels: Needs-Triage-M64

Comment 2 by ajha@chromium.org, Mar 22 2018

Components: -UI UI>Browser>Autofill

Comment 3 by krajshree@chromium.org, Apr 12 2018

Cc: krajshree@chromium.org
Labels: Triaged-ET Needs-Feedback
bracketsage@ - Thanks for filing the issue...!!

Could you please provide a sample test file/url to test the issue from TE-end. This will help us in triaging the issue further.

Thanks...!!

Comment 4 by brackets...@gmail.com, Apr 12 2018 

1. Go here https://jsfiddle.net/9ephouy8/9/

1. Enter a sample username
2. Push the submit button once or twice (until the save-password prompt fires) and save the password
3. You may need to refresh the page, but double-click the bottom password-field and it will offer to use a password that you've entered, even though auto-complete="new-password"
Project Member

Comment 5 by sheriffbot@chromium.org, Apr 12 2018

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 6 by sindhu.chelamcherla@chromium.org, May 10 2018

Cc: sindhu.chelamcherla@chromium.org
Labels: M-68 FoundIn-68 Target-68 OS-Linux OS-Mac
Status: Untriaged (was: Unconfirmed)
Able to reproduce this issue on 64.0.3282.186 , on latest stable and latest canary 68.0.3246.0 using Windows 10, Mac 10.13.3 and Ubuntu 14.04.

This issue is seen from introduction of key icon from M-62, Hence considering this issue as Non-Regression and marking as Untriaged.

Thanks!

Comment 7 by rogerm@chromium.org, May 15 2018

Components: -UI>Browser>Autofill UI>Browser>Passwords
Owner: battre@chromium.org
over to battre@ for passwords triage

Comment 8 by battre@chromium.org, May 15 2018

Mergedinto: 838309
Status: Duplicate (was: Untriaged)

Sign in to add a comment