Issue 385619 in chromium: password autofill bug on subdomains

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Pri-2 Via-Wizard Type-Bug-Regression OS-Linux

New issue 385619 by nicel...@gmail.com: password autofill bug on subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

UserAgent: Mozilla/5.0 (X11; Linux i686 (x86_64)) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Steps to reproduce the problem:
1. autorisoes and save the password for example here:
http://example1.site.com/
2. then try to log in for example here: http://example2.site.com/
3. chrome tries to substitute the username and password from the first
subdomain

What is the expected behavior?
Expected for each subdomain will be saved and offered their password.
Previously, it was so.

What went wrong?
In previous versions was the setting:
chrome://flags/#password-Outlook add-public-suffix-domain-matching

She solved the problem.
You can get her back?

Also about this problem writing here:
https://codereview.chromium.org/241033002/
https://productforums.google.com/forum/#!topic/chrome/og3KxtNPaxY

Did this work before? N/A

Chrome version: 35.0.1916.153 Channel: stable
OS Version: Ubuntu 14.04
Flash Version: Shockwave Flash 14.0 r0



--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #3 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

To clarify point 3. from the description:
Chrome never autofills cross-domain.
If example1.site.com has the same public suffix as example2.site.com (see
https://publicsuffix.org/), and there are credentials stored for example1
but not example2, Chrome offers the user to explicitly chose the example1
credentials from the autocomplete context menu to get them filled in. The
offered choice is clearly labelled as coming from example1, so the user has
both the tools and the knowledge to make the right decision.

The experimental flag was there only temporary. Now that the feature is
active for a couple of releases, and works as intended, the flag was
removed.

[chro...@googlecode.com]

Updates:
Cc: va...@chromium.org
Labels: Needs-Feedback

Comment #5 on issue 385619 by rponn...@chromium.org: password autofill bug
on subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

@va...@chromium.org: Could you please look into comment4# and respond to
user.

[chro...@googlecode.com]

Comment #7 on issue 385619 by nicel...@gmail.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Thanks for the explanation.

Unfortunately unable to save your password for the second subdomain, if
first he was already saved. Chrome inserts password directly from the first
subdomain after even a partial login.

Therefore, you cannot use password Manager for this situation.

May be able to return the flag to check the exact match for the domain,
instead of the current logic by default.
Or better yet make exceptions - so for a number of domain can be installed
logic exact matches for others, let it be by default.

Is this possible?

[chro...@googlecode.com]

Comment #8 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Thanks for your response.

If the user is not able to overwrite an autofilled password, that's a bug
which we need to fix, instead of introducing the flag again.

But it's hard to fix without a test case we can reproduce.

When I tried to replace a saved password I had no problems. What I did was:
1. Go to https://form870.appspot.com/smoke.html, fill in
credentials "User"/"Password1" in the last form, submit.
2. Accept the offer to save that password. (Check in
chrome://settings/passwords that the password is saved.)
3. Go to https://form870.appspot.com/smoke.html, see the credentials
for "User" autofilled.
4. Rewrite the content of the password field to something else,
e.g., "OtherPassword", and submit.
5. Check chrome://settings/passwords that the currently saved password
for "User" has changed to "OtherPassword" automatically.

Now that above does not yet involve PSL matching, I just wanted to confirm
that it works as expected for both of us.

Now the PSL variation of what I would expect would be:
PSL-1: Go to example1.site.ru, save a password for "User".
PSL-2: Go to example2.site.ru. Nothing should be autofilled yet.
PSL-3: Still on example2.site.ru, start typing "User" in the user field.
PSL-4: Chrome should offer the credentials from example2.site.ru.
PSL-5: As in step 4. above, ignore the filled-in password, and rewrite with
a different password, valid for example2. Submit.
PSL-6: Chrome should ask for saving the password for example2 (as it did
for example1 before), and chrome://settings/passwords should show two
entries for "User", one for example1, one for example2, each with a correct
password.

Could you please specify what exactly went wrong for you from the PSL-*
steps above? Which was the last one you saw as written here, and the first
one which behaved differently?

[chro...@googlecode.com]

Comment #9 on issue 385619 by nicel...@gmail.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

The problem is the following:
PSL-1,PSL-2,PSL-3. happening
PSL-4. Chrome offers to use the data from example1 to refuse it or to try
to enter the data directly for example2 does not give

Now all different and eventually the password for example1 is replaced with
the password for example2.

In the example where You tried to change the password, everything is
correct and works.
But if you use two different subdomain, that is the situation as I describe.

[chro...@googlecode.com]

Comment #10 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Sorry, I made a typo in PSL-4: "from example2.site.ru" should be "from
example1.site.ru"

I did not understand the sentence on line 3 of #9.
Based on the rest of #9, I understand that you were able to rewrite the
suggested password with the new one for example2, but then the new password
resulted in changing the previously stored password for example1. Is that
correct?

So when you look at chrome://settings/passwords after that, do you see two
entries, one for example1, the other for example2, but both with the
password for example2? Or do you see just one entry? If so, is it for
example1 or example2?

[chro...@googlecode.com]

Updates:
Owner: va...@chromium.org

Comment #11 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

In the absence of other test accounts, I'm creating a test AppEngine to
simulate the issue. Will update this ticket with the results.

[chro...@googlecode.com]

Comment #12 on issue 385619 by nicel...@gmail.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

> Based on the rest of #9, I understand that you were able to rewrite the
> suggested password with the new one for example2, but then the new
> password resulted in changing the previously stored password for
> example1. Is that correct?

You understood it correctly

> So when you look at chrome://settings/passwords after that, do you see
> two entries, one for example1, the other for example2, but both with the
> password for example2? Or do you see just one entry? If so, is it for
> example1 or example2?

I see only one record from example1

I recorded a short video with an example:
https://dl.dropboxusercontent.com/u/8172143/p/out.ogv

In it I'm on one subdomain, and typing the same for subdomains login chrome
offers to use the password from another subdomain and refuse't.

After entering the login trying to press tab or just switch the mouse on
the field for a password - chrome still thinks that I chose the password
from another subdomain, and the password from the current subdomain
overwrites it.

[chro...@googlecode.com]

Comment #13 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Thanks for the video, that's helpful.

What I would suggest, is:
After you click on the suggestion, and both the username and the (wrong)
password are autofilled, just change the content of the password field to
the correct password. (It should stop being yellow once you do that.) Then
click submit, and the correct password should be automatically saved.

I just tested the issue (as far as I understood it) on an appengine
instance with a subdomain, and PSL matching worked as expected. To be sure
we understand each other, let me write down the steps I did (hopefully
without typos as in #8):

my-PSL-1: Go to sub1.example.org, save a password for "User".
my-PSL-2: Go to sub2.example.org. Nothing is autofilled yet.
my-PSL-3: Still on sub2.example.org, start typing "User" in the user field.
my-PSL-4: Chrome offer the credentials from sub1.example.org.
my-PSL-5: I accept the suggestion, both username and password fields have
yellow background.
my-PSL-6: Click on the password field, and replace the wrong password with
a correct one.
my-PSL-7: Submit the form on sub2.example.org.

After that, chrome://settings/passwords shows me two saved passwords: one
for sub1.example.org, one for sub2.example.org. When I check them, they are
both correct. When I go to sub1.example.org or sub2.example.org at this
time, the correct password for the current page is autofilled (without any
PSL matching).

[chro...@googlecode.com]

Comment #14 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Just for completeness, I should say I tested with a newer version:
37.0.2061.0 (Developer Build 278677)

[chro...@googlecode.com]

Comment #15 on issue 385619 by nicel...@gmail.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

All what You described is true. I have this procedure password from the
sub1 were replaced with what I typed in sub2
Once again I checked and found that the error does not recur
Maybe we need some special conditions for this.
If the problem appears again, then I will tell You

Thank you very much for your help!

[chro...@googlecode.com]

Comment #16 on issue 385619 by nicel...@gmail.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Единственное что я заметил, то что хром не предлагает мне сохранить пароль
для sub2. Хотя по факту это совершенно другой сайт. Так и должно быть? Это
не очень удобно - не понято сохранился пароль или нет.

[chro...@googlecode.com]

Comment #17 on issue 385619 by nicel...@gmail.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

The only thing I noticed is that chrome does not offer me to save the
password for sub2. Although that's a completely different website. It
should be? This is not very convenient, is not understood preserved
password or not.

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #18 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Thanks for your feedback!
As for your question in #17:
Chrome does not ask you, but in this case it saves the password
automatically. You should be able to see it saved in
chrome://settings/passwords. The reason is that the new password for sub2
is treated rather as an update of an existing password.

I agree that strictly speaking, the new password is not an update, because
the old password was for a different domain. But, because at this moment,
the user already has saved a password for the same user, on a related
domain, it sounds reasonable to expect that such password should be saved.
Also, if it weren't saved, the PSL-matched password from sub1 would be
suggested on sub2 in the future again, which sounds like a less useful
state.

Given your comment #15, I'm closing this now. Do not hesitate to let me
know, if you have further questions, or if you encounter issues with this
feature.

Thanks!

[chro...@googlecode.com]

Comment #21 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

1. fill in the username
2. fill in the password
3. submit
Nothing convoluted about that, works as intended.

[chro...@googlecode.com]

Comment #22 on issue 385619 by j...@fidano.com: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Chrome Version 35.0.1916.153 m

Here's the behavior though with subdomains. Close to what you wrote, but a
very broken part below.

Example:

Two different subdomains: sub1.example.org and sub2.example.org
Two different credentials (each is exclusive to that subdomain)
sub1.example.org : User / password51
sub1.example.org : User / passwordsomethingelse

my-PSL-1: Go to sub1.example.org, save a password for "User".
my-PSL-2: Go to sub2.example.org. Nothing is autofilled yet.
my-PSL-3: Still on sub2.example.org, start typing "User" in the user field.
my-PSL-4: Chrome offer the credentials from sub1.example.org.
my-PSL-5: I accept the suggestion, both username and password fields have

yellow background. (even though password is set to autocompleted="off")

my-PSL-6: Click on the password field, and replace the wrong password with
a correct one.
my-PSL-7: Submit the form on sub2.example.org.

my-PSL-8: Chrome CHANGES the password to the original User suggestion
before submissions (reverts to suggestion) even though it was typed in and
corrected.

This is true for both clicking on the "Submit" or hitting Enter to submit
the form from the password box.

[chro...@googlecode.com]

Updates:
Status: Assigned

Comment #23 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Thanks, j...@fidano.com, for the report.
This sounds like something specific to the site, where a non-PSL matching
related bug might be interfering with the PSL-matched credentials.

When you repeat your steps on the test URLs
http://1.chromium-test1.appspot.com/ and
http://2.chromium-test1.appspot.com/, do you see that issue as well? I
cannot reproduce it there, although I tried with a more recent version
(36.0.1985.103 (Official Build 280322) beta, on GNU/Linux).

It would be helpful if we could have a test account on a site, where the
issue is reproducible. I understand that that might not be possible, just
asking.

[chro...@googlecode.com]

Updates:
Cc: -va...@chromium.org

Comment #25 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
http://code.google.com/p/chromium/issues/detail?id=385619

Thanks a lot for the investigation from #24. I can now reproduce the issue
you describe. That's definitely a bug, and I'll look into that.

[chro...@googlecode.com]

Comment #27 on issue 385619 by bugdro...@chromium.org: password autofill
bug on subdomains
http://code.google.com/p/chromium/issues/detail?id=385619#c27

------------------------------------------------------------------
r286465 | va...@chromium.org | 2014-07-30T10:09:25.685296Z

Changed paths:
M
http://src.chromium.org/viewvc/chrome/trunk/src/components/password_manager/core/browser/password_form_manager_unittest.cc?r1=286465&r2=286464&pathrev=286465
M
http://src.chromium.org/viewvc/chrome/trunk/src/components/password_manager/core/browser/password_form_manager.cc?r1=286465&r2=286464&pathrev=286465

PSL matched credentials with user-overwritten password are no longer PSL
matched

If the user accepts a PSL-suggested credential, but then replaces the
password, the provisionally saved credentials should no longer be
identified as PSL-matched. As a side effect, the user will be prompted
before saving them (accepted PSL-matched suggestions are saved
automatically by design).

BUG=385619

Review URL: https://codereview.chromium.org/413733002
-----------------------------------------------------------------

[chro...@googlecode.com]

Comment #28 on issue 385619 by bugdro...@chromium.org: password autofill
bug on subdomains
http://code.google.com/p/chromium/issues/detail?id=385619#c28

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/d0d28d16d5fe2cb05d7f68460fc2cb586655b304

commit d0d28d16d5fe2cb05d7f68460fc2cb586655b304
Author: va...@chromium.org
<va...@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed Jul 30 10:09:25 2014

PSL matched credentials with user-overwritten password are no longer PSL
matched

If the user accepts a PSL-suggested credential, but then replaces the
password, the provisionally saved credentials should no longer be
identified as PSL-matched. As a side effect, the user will be prompted
before saving them (accepted PSL-matched suggestions are saved
automatically by design).

BUG=385619

Review URL: https://codereview.chromium.org/413733002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@286465
0039d316-1c4b-4281-b951-d872f2087c98

[chro...@googlecode.com]

Comment #29 on issue 385619 by bugdro...@chromium.org: password autofill
bug on subdomains
https://code.google.com/p/chromium/issues/detail?id=385619#c29

The following revision refers to this bug:

https://chromium.googlesource.com/chromium/src.git/+/d7b0f8c76f05dcb04523e68cf8b1258f85e7c417

commit d7b0f8c76f05dcb04523e68cf8b1258f85e7c417
Author: vabr <va...@chromium.org>
Date: Tue Aug 26 18:09:09 2014

Password autofill should not override explicitly typed password

Imagine the following:
(1) A user types a username, which matches saved credentials, so the
password is autofilled.
(2) The user overwrites the suggested password in the password field.
(3) The user enters the username field again, but leaves it without changes.

Currently, the autofilled password after step 3 replaces the user-typed
password from step 2.

This CL makes sure, that the password from step 2 stays.

BUG=385619

Review URL: https://codereview.chromium.org/414013003

Cr-Commit-Position: refs/heads/master@{#291938}

[modify]
https://chromium.googlesource.com/chromium/src.git/+/d7b0f8c76f05dcb04523e68cf8b1258f85e7c417/chrome/renderer/autofill/password_autofill_agent_browsertest.cc
[modify]
https://chromium.googlesource.com/chromium/src.git/+/d7b0f8c76f05dcb04523e68cf8b1258f85e7c417/components/autofill/content/renderer/password_autofill_agent.cc
[modify]
https://chromium.googlesource.com/chromium/src.git/+/d7b0f8c76f05dcb04523e68cf8b1258f85e7c417/components/autofill/content/renderer/password_autofill_agent.h

[chro...@googlecode.com]

Updates:
Status: Fixed

Comment #30 on issue 385619 by va...@chromium.org: password autofill bug on
subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

The problem described in #24 should be now solved in the tip-of-the-tree
after the fixes in #27-#29. In a short time (max 2 days), that should reach
Canary, after a couple more days Dev. Once beta and stable enter version
39, respectively, the fix should be there.

I'm closing this issue as fixed, but if you happen to reproduce the issue
in one of the versions containing the fix, please let me know.

Thanks.

[chro...@googlecode.com]

Comment #31 on issue 385619 by chri...@gmail.com: password autofill bug
on subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

I have a AD login at a company, but a handful of sites matching the pattern
*.corp.company.tld don't use AD so they have a different password.

I've saved the handful of non-AD passwords in Chrome and continue to type
my AD password for (my username is the same in both cases) sites that
aren't filled-in.

Thanks to this crazy fuzzy matching "feature" you've come up with and the
recent change that prevents me from disabling this crap from the command
line Chrome's saved password features must be disabled to meet my needs.

Congratulations! You can go ahead and delete all this fracked up saved
password code now since you've succeeded in making it entirely
non-functional anyway.

[chro...@googlecode.com]

Comment #32 on issue 385619 by jiri.thi...@avito.cz: password autofill bug
on subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

I have the same problem. As a webdesigner I work with many sites in
progress running as subdomains to our company site. Chrome overrides
passwords on them constantly. It also never asks for saving the password.
It simply overrides all the passwords for same user for all the subdomains.
It is crazy and wrong feature.

[chro...@googlecode.com]

Comment #33 on issue 385619 by jasim...@gmail.com: password autofill bug on
subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

I have had the identical problem as jiri.thi... It is my biggest Chrome
annoyance. And it has been going on for a long time.

It used to work. In fact, it continues to work for many of the subdomains
that had been saved long ago. But over time, remembering and filling
passwords for a particular subdomain fails and can never be restored. Even
though the legacy saved password still continue to work.

This is not a problem in IE or Firefox, which "just work" to remember and
autofill passwords from distinct subdomains that have the same username
across all the domains.

[chro...@googlecode.com]

Comment #34 on issue 385619 by jasim...@gmail.com: password autofill bug on
subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

An additional observation: I am on a Mac and when I go into Keychain
access, I find no entries for the domain I am trying to log in to. If I
manually login, no entries are created. I check the Chrome settings and see
that there are some "never save passwords for specific sites", which I
never entered, but I get rid of them and restart Chrome.

Then I make a manual addition for the domain and login in question.

Then when I try to login, Chrome still pulls a password from the another
domain. And I notice that there is now a new entry in the Keychain Access,
for the most recent login attempt, which has the wrong password from the
other domain.

All this behavior is clearly buggy, and it amazes me that this has been
allowed to remain in Chrome for such a long time. I definitely contributes
to my low opinion of Google's software.

[chro...@googlecode.com]

Comment #35 on issue 385619 by mar...@cammio.com: password autofill bug on
subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

I've found a solution for some cases

* remove all passwords form the password manger for all your subdomains
* open all your subdomain on separate tabs in chrome
* login to each subdomain but don't click on "save password" yet
* if your are logged in to each subdomain click on "save password" on each
tab.

This works for me. I don't know what will happen if you add a new sub
domain.

[chro...@googlecode.com]

Comment #36 on issue 385619 by jasim...@gmail.com: password autofill bug on
subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

Sounds like this could be worth a try. However, Chrome no longer asks for
passwords to be saved for my domains. This is a separate bug that I have
also opened here, but without good results.

In the meantime, I have resorted to just using a separate password manager
1Password, which I use for other sites anyways. I just give us the
convenience of using the browser's password manager, which continues to
work normally for Firefox, Safari, and even IE.

[chro...@googlecode.com]

Comment #38 on issue 385619 by draltan....@kwenzi.com: password autofill

bug on subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

I have a similar problem for which the solution in #13 won't work. The
solution in #35 works, but it is a workarround that needs to be reexecuted
for every new subdomain.

The main site of my company is https://domain.com and there are multiple
applications each using a subdomain like https://app.domain.com, and we are
often adding new applications (there are some test applications, but also
new services).

I understand it is not easy to determine whether different subdomains
belong to the same service or to different ones, consider:
myservice.com
m.myservice.com
www.myservice.com
git.myservice.com
blog.myservice.com

It should be possible to manually input passwords in
chrome://settings/passwords so the user can decide which services require
different passwords.

[chro...@googlecode.com]

Comment #39 on issue 385619 by jpsyjo...@gmail.com: password autofill bug
on subdomains
https://code.google.com/p/chromium/issues/detail?id=385619

Working on OS X and using sub-domains all the time for our different web
projects, this behavior is extremely annoying. #35 is not really a solution
– it would mean to go through all projects sub-domains again whenever we
add a new project. Simply impossible.