New issue
Advanced search Search tips

Issue 880771 link

Starred by 1 user
Status: Untriaged
Owner: ----
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Migrated non-HTML credentials with wrong signon_realm not deleted.

Project Member Reported by gemene@google.com, Sep 5 
Chrome Version: 70.0.3538.0 (Developer Build) (64-bit)
OS: all

Imagine there is an HTTPS page and a non-HTML credential saved on HTTP version of the site. User visits HTTPS version of the site. 
Suppose there are no credentials for HTTPS.
HttpPasswordStoreMigrator migrates HTTP credentials.
Migration starts and during migration HttpPasswordStoreMigrator discards auth realm from signon_realm. So, the HTTPS credentials will have invalid signon_realm and cannot be used.
Suppose HTTP credentials are deleted from the store. For example:
       1. during migration HTTP credentials was moved (remove HTTP, and create HTTPS)
       2. user delete HTTP credentials manually.

After that, InvalidRealmCredentialCleaner class was added.
This class will not delete HTTPS credentials because there is no matching (same date of creation, origin excluding protocol and username) HTTP credentials.
See https://docs.google.com/document/d/139w-K9cuCzFaqANNiEixpGLojZ2Fc6wo_q2PXgk238A/edit?usp=sharing for more details about this cleaning.


So, migrated non-HTML HTTPS credentials are never used, because of the invalid signon_realm, and not deleted by InvalidRealmCredentialCleaner.

Comment 1 by gemene@google.com, Sep 26

Description: Show this description

Sign in to add a comment