Soundcloud reset password page: "Generate Password..." fills field incorrectly |
||||||
Issue descriptionChrome Version: 69.0.3497.100 (Official Build) (64-bit) OS: Mac OS X What steps will reproduce the problem? (1) Visit soundcloud.com reset password page (eg. https://secure.soundcloud.com/password-reset/f84f<snip>) (2) Right-click first password field, click "Generate Password..." What is the expected result? Chrome fills both password fields What happens instead? Chrome fills *second* field (confirm password) instead of first. There is no way to populate both fields with same password. Please use labels and text to provide additional information. If this is a regression (i.e., worked before), please consider using the bisect tool (https://www.chromium.org/developers/bisect-builds-py) to help us identify the root cause and more rapidly triage the issue. For graphics-related bugs, please copy/paste the contents of the about:gpu page at the end of this report.
,
Sep 27
Thanks for the report. Could you open chrome://password-manager-internals, visit the password reset site and attach the logs to this bug?
,
Sep 27
There is no way to copy/paste the field value into the correct field. Workaround: allow Chrome to populate wrong field, open DOM inspector, find 'value' property, copy to clipboard, copy into the correct field.
,
Sep 27
chrome://password-manager-internals Captured password manager logs are listed below. Logs are cleared and no longer captured when all password-manager-internals pages are closed. Message: PasswordAutofillAgent::DidStartProvisionalLoad Message: PasswordAutofillAgent::SendPasswordForms only_visible: false Security origin: https://secure.soundcloud.com/ Number of all forms: 0 Message: Generation invalid PasswordForm Message: PasswordAutofillAgent::SendPasswordForms only_visible: true Security origin: https://secure.soundcloud.com/ Number of all forms: 0 Some control elements not associated to a form element are visible: false Message: PasswordManager::CreatePendingLoginManagers SSL errors present: false IsPasswordManagementEnabledForCurrentPage: true Number of pending login managers (before): 0 Number of pending login managers (after): 0 Message: PasswordManager::OnPasswordFormsRendered Message: PasswordManager::CanProvisionalManagerSave Message: No provisional save manager Message: Generation invalid PasswordForm Message: PasswordAutofillAgent::SendPasswordForms only_visible: false Security origin: https://secure.soundcloud.com/ Number of all forms: 1 Form is a password form: { Action : https://secure.soundcloud.com/ , New password element : anonymous_new_password , Origin : https://secure.soundcloud.com/ , PSL match : false, Password element : anonymous_password , Password generated : false, Scheme : HTML , Signon realm : https://secure.soundcloud.com/ , Times used : 0, Username element : } Message: PasswordManager::CreatePendingLoginManagers SSL errors present: false IsPasswordManagementEnabledForCurrentPage: true Number of pending login managers (before): 0 Adding manager for form: { Signature of form: 6826036903454713946 Signon realm: https://secure.soundcloud.com/ Origin: https://secure.soundcloud.com/ Action: https://secure.soundcloud.com/ Form name: Form fields: : 475301429, type=password, renderer_id = 11 : 475301429, type=password, renderer_id = 12 : 1067852723, type=checkbox, renderer_id = 13 } Message: FormFetcherImpl::Fetch FormFetcherImpl::state_: 1 Number of pending login managers (after): 1 Message: Generation invalid PasswordForm Generation possible account creation forms: 1 Message: Generation: no non-blacklisted confirmation Message: FormFetcherImpl::OnGetPasswordStoreResults Number of results from the password store: 0 Message: PasswordFormManager::ProcessMatches SSL errors present: false IsPasswordManagementEnabledForCurrentPage: true Message: Generation: no server signal -- here I click 'Generate Password' -- Message: Show generation popup triggered manually Message: Generated password accepted SSL errors present: false IsPasswordManagementEnabledForCurrentPage: true Message: PasswordFormManager::ProcessMatches The new state of the UI: 2
,
Sep 28
Maxim, could you take a quick look to triage this?
,
Sep 28
This is my hypothesis:
- We don't have any serverside data about this form as per the aggregated_uploads file (this surprises me a bit because it does not look like the signature would be unstable).
- As a result of this, the password manager just interprets this as password change form with the structure ("Old Password", "New Password").
I think that if the user clicks "Generate Password..." on the *first* password field, we should re-interpret the form as "New Password", "Confirmation Password". WDYT?
,
Sep 28
This bug is about old code in password_generation_agent, so it doesn't make sense to talk about interprenting this form. password_generation_agent doesn't do any parsing, it just uses simple heuristics which fails here. The problem is the following: 1.Both password fields have empty name attributes, as a result they have the same signature. 2.When the user clicks to generate password, signature is used for identifying fields between browser and renderer process. 3.Currently the last field with the same signature is chosen as a field for generation. Our renderer generation code has a lot of such not-working corner cases. This one is easy to fix (by taking the first element for collision resolution), and I'll do it next week. But it wouldn't fix all such cases (say there are 10 elements with the same signature). I'm going to refactor it as a part of a big refactoring and then I'll try to come up with full fix (to use renderer input elements identifiers for example).
,
Oct 17
Thanks for looking at this!
,
Nov 7
After considering pluses and minuses of the quick fix that I mentioned in #7 (about considering the first element for generation), it's not clear consequences, which sites would be broken. So it's better to make the proper solution together with the refactoring. I'm going to start refactoring in a few weeks.
,
Nov 29
vabr going hobby only -> reducing involvement. Please contact me directly in urgent matters. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by catalinp@google.com
, Sep 27Here is the final rendered outerHTML of the page: <html lang="en"><head> <title>Change your password</title> <meta charset="utf-8"> <meta content="IE=edge,chrome=1" http-equiv="X-UA-Compatible"> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <link href="https://secure.sndcdn.com/styles-bc1e82108cee7f8d45f1.css" rel="stylesheet"></head> <body> <div id="app"><div class="auth-ui"><div class="header "><div class="header__content"><div class="header__logo left"><a href="https://soundcloud.com" title="Home" class="header__logoLink header__logoLink-wordmark sc-border-box sc-ir">SoundCloud</a></div></div></div><div class="l-content"><div class="content__container"><div class="bodyContent"><div class="bodyHeading"><h1 class="sc-type-h1">Change your password</h1></div><div class="formWrapper passwordReset__formWrapper"><div class="bodyHeading"><p class="sc-type-light sc-type-medium">Choose a strong, unique password.<br><span>For tips on choosing a secure password, <a href="https://help.soundcloud.com/hc/articles/115003450547" target="_blank">visit our Help Center</a>.</span></p></div><div class="form-group"><form><fieldset><label for="password">Type your new password</label><div class="FormInput -hasError"><input type="password" class="title auto-focus sc-input sc-input-large"><div class="FormError" style="display: block;">Enter at least 6 characters.</div></div><label for="password">Type your new password again, to confirm</label><div class="FormInput"><input type="password" class="title auto-focus sc-input sc-input-large"><div class="FormError" style="display: none;"></div></div><label class="sc-checkbox"><div class="FormInput"><input class="sc-checkbox-input sc-input-large" type="checkbox"><div class="FormError" style="display: none;"></div></div><span> Also sign me out everywhere</span></label><div class="form-buttons"><button class="sc-button sc-button-large sc-button-cta" name="commit" type="submit">Save</button></div></fieldset></form></div></div></div></div></div><div class="footer "><div class="footer__content"><div class="footer__links sc-border-light-top sc-text-verylight"><a class="sc-link-verylight" href="https://soundcloud.com/terms-of-use" title="Terms of use">Legal</a><span> ⁃ </span><a class="sc-link-verylight" href="https://soundcloud.com/pages/privacy" title="Privacy policy">Privacy</a><span> ⁃ </span><a class="sc-link-verylight" href="https://soundcloud.com/pages/cookies" title="Cookies policy">Cookies</a><span> ⁃ </span><a class="sc-link-verylight" href="https://soundcloud.com/imprint" title="Company information">Imprint</a></div></div></div></div></div> <script type="text/javascript" src="https://secure.sndcdn.com/vendor-bc1e82108cee7f8d45f1.js"></script><script type="text/javascript" src="https://secure.sndcdn.com/app-bc1e82108cee7f8d45f1.js"></script> <link rel="stylesheet" href="https://style.sndcdn.com/css/sc.min-1476bec3784f3a377698138b33b77c4fb55650f9.css"> </body></html> Note both affected input fields are type=password.