Password manager UI shows unelided hostnames |
|||||
Issue descriptionChrome Version: 72.0.3626.0 (Developer Build) (64-bit) OS: Linux What steps will reproduce the problem? (1) Visit a site with a very long domain name (I tested with https://aaaaaaaaaaaaaa[...]aaaa.com). (2) Fill out a password form. (3) See the password save bubble show the hostname. This may also require being navigated/navigating to a different origin after filling out the form but before opening the bubble (otherwise the bubble just says "this site"). What is the expected result? The hostname should be be elided from the leading end to fit ("...aaaaaa.com"). What happens instead? The hostname is shown unelided in the bubbles ("aaaaaaaaaaaa"). See attached screenshots for specifics. For comparison, the permission request bubble elides URLs using an elided view [0], but they are able to make that work due to the hostname coming first in the view (so they can have the entire view elide on the leading side). Here we might need to compute widths and elide the text when constructing the label instead. Normally we'd recommend url_formatter::ElideHost() [1], but that won't elide into the TLD+1. (We (Enamel) might want to add a separate helper function for eliding when we are okay with eliding into the TLD+1.) A separate issue is the handling of RTL IDNs, but this is caused by known issues/tradeoffs in url_formatter::FormatUrlForSecurityDisplay() [2] which is used to render these URLs in the actual UI [3]. We (Enamel) are currently revisiting this behavior to see if we can finally make it better match the omnibox. Eliding the host would still require a separate post-processing in the password manager views code though. I came across this when looking at GetHumanReadableRealm() [4] which just extracts the hostname using GURL::host(). This is then filled into an autofill::Suggestion object in AppendSuggestionIfMatching() [5]. This hostname label might be used in the accessibility label for various autofill popups [6] and cause all IDNs to render as punycode, but I have not tested this. Having a screenreader read punycode would potentially be very painful/confusing. I think these should also get formatted using url_formatter functions. UI strings which may be affected by this (from chrome/app/generated_resources.grd). I haven't completely gone through all of them to audit how they are generated in the code however. <message name="IDS_MANAGE_PASSWORDS_DIFFERENT_DOMAIN_TITLE" desc="The title text that is used in the manage passwords bubble when a password is autofilled or after a user has stored a password."> Saved passwords for <ph name="ORIGIN">$1<ex>example.com</ex></ph> </message> <message name="IDS_MANAGE_PASSWORDS_DIFFERENT_DOMAIN_NO_PASSWORDS_TITLE" desc="The title text that is used in the manage passwords bubble when no passwords are available for a different domain."> No passwords saved for <ph name="ORIGIN">$1<ex>example.com</ex></ph> </message> <message name="IDS_SAVE_PASSWORD_DIFFERENT_DOMAINS_TITLE" desc="The title of the save password bubble when the submitted form origin isn't equal to the page origin."> Save password for <ph name="ORIGIN">$1<ex>example.com</ex></ph>? </message> <message name="IDS_UPDATE_PASSWORD_DIFFERENT_DOMAINS_TITLE" desc="The title of the update password bubble when the submitted form origin isn't equal to saved credentials origin."> Update password for <ph name="ORIGIN">$1<ex>example.com</ex></ph>? </message> <message name="IDS_PASSWORD_MANAGER_ACCESSORY_PASSWORD_LIST_EMPTY_MESSAGE" desc="Message indicating that the list of saved passwords for this site is empty."> No saved passwords for <ph name="domain">$1<ex>example.com</ex></ph> </message> <message name="IDS_PASSWORD_MANAGER_ACCESSORY_PASSWORD_LIST_TITLE" desc="The title of a list of saved passwords for the currently visible site."> Saved passwords for <ph name="domain">$1<ex>example.com</ex></ph> </message> I also have not tested the password manager displays on iOS or Android, but they do not appear to include hostnames in the toast popups on saving passwords. The "show all" passwords list should get double checked as well. [0] https://cs.chromium.org/chromium/src/chrome/browser/ui/views/permission_bubble/permission_prompt_impl.cc?l=161 [1] https://cs.chromium.org/chromium/src/components/url_formatter/elide_url.h?type=cs&q=url_formatter::ElideHost&sq=package:chromium&g=0&l=52 [2] https://crbug.com/650760#c19 [3] https://cs.chromium.org/chromium/src/chrome/browser/ui/passwords/manage_passwords_view_utils.cc?type=cs&q=IDS_SAVE_PASSWORD_DIFFERENT_DOMAINS_TITLE&g=0&l=118 [4] https://cs.chromium.org/chromium/src/components/password_manager/core/browser/password_autofill_manager.cc?l=64 [5] https://cs.chromium.org/chromium/src/components/password_manager/core/browser/password_autofill_manager.cc?l=88 [6] https://cs.chromium.org/chromium/src/chrome/browser/ui/views/autofill/autofill_popup_view_native_views.cc?l=326
,
Dec 3
,
Dec 3
Looks like a fix can be to introduce 2 labels instead of one: Title: "Save password?" Label below: "...aaaaaa.com" Max, what do you think?
,
Dec 3
Thanks for catching this! What about allowing line breaks as we do in other views like Android page info (https://screenshot.googleplex.com/pvWchoRPmdL.png)?
,
Dec 3
Allowing line breaks seems like a good solution (although the pathological cases could be very long with each label in the domain being up to 64 characters). I don't believe this page action bubble allows vertical scrolling when the screen viewport is constrained -- line breaks might introduce some edge cases that could push the buttons off the screen so we might want to test that if we switch to allowing line breaks. An additional point I found that may incorrectly render hostnames is in the federated credentials string which just extracts the hostname from the origin. This comes up in a few places: https://cs.chromium.org/chromium/src/chrome/browser/extensions/api/passwords_private/passwords_private_delegate_impl.cc?l=232 https://cs.chromium.org/chromium/src/chrome/browser/ui/views/passwords/password_items_view.cc?l=133 https://cs.chromium.org/chromium/src/chrome/browser/ui/passwords/manage_passwords_view_utils.cc?l=76 I'm not sure what this is used for or how to trigger it though.
,
Dec 4
Looks like the multiline support is broken in Chrome for now. See the screenshot.
Federated credentials can be created as following:
cred = new FederatedCredential({
id: "myusername",
name: "My real name",
provider: "https://goooogle.com"
});
navigator.credentials.store(cred);
Just execute it in the console.
,
Dec 5
Thanks for the steps for federated credentials. It looks like it would also benefit from using url_formatter, as then it could properly display safe IDN hostnames like https://пример.испытание (see screenshot).
,
Dec 7
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/225e87c19467d05da9cbe3329f5b7956007f5daa commit 225e87c19467d05da9cbe3329f5b7956007f5daa Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Fri Dec 07 17:28:02 2018 Allow char break in the title of the Save password bubble. It can contain URL and it's undesired to truncate its end. Bug: 910681 Change-Id: I187831c2295c8b964239880cb27ce1b426322658 Reviewed-on: https://chromium-review.googlesource.com/c/1367673 Reviewed-by: Maxim Kolosovskiy <kolos@chromium.org> Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#614735} [modify] https://crrev.com/225e87c19467d05da9cbe3329f5b7956007f5daa/chrome/browser/ui/views/passwords/password_pending_view.cc [modify] https://crrev.com/225e87c19467d05da9cbe3329f5b7956007f5daa/chrome/browser/ui/views/passwords/password_pending_view.h
,
Dec 10
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/c74a57b141eb944e5911fbb0e16bbbf6ab6eeea9 commit c74a57b141eb944e5911fbb0e16bbbf6ab6eeea9 Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Mon Dec 10 11:30:02 2018 Display federation provider in a human-readable way in the password bubble. Bug: 910681 Change-Id: I8dd17feb32efd8f350964bab9a58d3c02c86dc14 Reviewed-on: https://chromium-review.googlesource.com/c/1368125 Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Reviewed-by: Christopher Thompson <cthomp@chromium.org> Cr-Commit-Position: refs/heads/master@{#615088} [modify] https://crrev.com/c74a57b141eb944e5911fbb0e16bbbf6ab6eeea9/chrome/browser/ui/passwords/manage_passwords_view_utils.cc [modify] https://crrev.com/c74a57b141eb944e5911fbb0e16bbbf6ab6eeea9/chrome/browser/ui/passwords/manage_passwords_view_utils.h [modify] https://crrev.com/c74a57b141eb944e5911fbb0e16bbbf6ab6eeea9/chrome/browser/ui/views/passwords/password_items_view.cc
,
Dec 10
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d8cf10ed9991886042c3ec60a29608e407fdcfe8 commit d8cf10ed9991886042c3ec60a29608e407fdcfe8 Author: Vasilii Sukhanov <vasilii@chromium.org> Date: Mon Dec 10 17:23:16 2018 Display federation provider in a human-readable way in the password settings. Bug: 910681 Change-Id: I1fae5eb5382bdee7a0de4d241743cb5cc84e2a07 Reviewed-on: https://chromium-review.googlesource.com/c/1369801 Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Commit-Queue: Vasilii Sukhanov <vasilii@chromium.org> Cr-Commit-Position: refs/heads/master@{#615156} [modify] https://crrev.com/d8cf10ed9991886042c3ec60a29608e407fdcfe8/chrome/browser/extensions/api/passwords_private/passwords_private_delegate_impl.cc
,
Dec 10
|
|||||
►
Sign in to add a comment |
|||||
?){kind=link}
Comment 1 by cthomp@chromium.org
, Nov 30