Comment #90 on issue 178358 by
erik...@chromium.org: A pop up
Chrome has several keychain related bugs.
I am going to list explicit reproduction steps for the bug that most of
this thread is concerned with:
1. The login and local item keychains are unlocked.
2. There is a keychain item in one of these two keychains with kind
= "Internet password" for a site like
twitter.com
3. Right click on the keychain item, and click "Get Info". Navigate to
the "Access Control" tab. The radio button "Confirm before allowing access"
should be selected, and the box "Ask for Keychain password" should be
unchecked. Under the list: "Always allow access by these
applications", "Google Chrome" should not be present.
4. Navigate to
twitter.com.
5. Keychain popup comes up: "Chrome would like to use your keychain....".
Click either "Allow" or "Deny", but do not click "Always allow".
Result: I get prompted 8 times immediately after loading the
twitter.com
site.
Expected result: I get prompted exactly 1 time, or I don't get prompted at
all.
The problem is that Chrome assumes that accessing the Keychain has no UI
impact. This is true for keychain items where Chrome is already allowed
access. This is not true for keychain items created by Safari, Firefox,
Chromium, Chrome Canary, etc.
(As an aside, the latest versions of Safari and Firefox don't
create "Internet Passwords" in the keychain. Safari makes "Web form
passwords" and Firefox doesn't touch the keychain at all.)
I discussed potential solutions with isherman. This is what we decided:
Step 1) Chrome should be able to tell if accessing a keychain item would
cause a keychain prompt. Never do so on initial page load.
Step 2) If a user types in a username into a form, and the username matches
a particular keychain item that Chrome does not have access to, immediately
prompt the user for access to the keychain item.
Step 1 is high priority, and also easy. It removes a major UI pain point
for many users and will fix this bug.
Step 2 is lower priority, and possibly more difficult. I believe someone
was already working on building this functionality, but then stopped. It
affects a smaller proportion of users, but could be very useful for them.
I am going to immediately implement Step 1, and look into Step 2.