Issue 370363 in chromium: autofill for forms not deactivatable

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Pri-2 Via-Wizard Type-Compat OS-Linux

New issue 370363 by andreas....@gmail.com: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/34.0.1847.132 Safari/537.36

Example URL:

Steps to reproduce the problem:
1. Make a login form with fields "user" (text) and "password" (password)
2. Confirm the save prompt
3. Create another form with autocomplete="off" containing a
textfield "city" and a password field (password) - the previously saved
credentials are autofilled into this fields, even if the textfield has
another name.

What is the expected behavior?
Do not autofill the fields.

What went wrong?
The textfield in the settings.html has another name than the textfield from
the login.html. I think, if Chrome detects a passwordfield, it takes this
field and the previous occuring textfield and puts the saved user
credentials into these fields.
If the passwordfield is the first field in the form, it does not trigger.
The form is even autofilled after adding autocomplete="off" into the form
and the fields.

Does it occur on multiple sites: N/A

Is it a problem with a plugin? No

Did this work before? N/A

Does this work in other browsers? Yes

Chrome version: 34.0.1847.132 Channel: stable
OS Version: Ubuntu 14.04
Flash Version: Shockwave Flash 13.0 r0

Please take a look at the example files, maybe you need to open a vhost for
testing.
Also, please note the invalid file url in the login form, I didn't find
another way to trigger the save prompt in Chrome.

Attachments:
login.html 323 bytes
settings.html 349 bytes

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Updates:
Labels: Needs-Feedback

Comment #1 on issue 370363 by smok...@chromium.org: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

Tried opening attached login.html file and entered a test user and
password, but didn't prompted to save password and thus not seeing the
entries in settings.html

However, I tried above steps in Firefox and it prompted to save the
password and under settings.html, it does autofill the content entered in
login.html.

[chro...@googlecode.com]

Comment #2 on issue 370363 by andreas....@gmail.com: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

I can confirm this when I open login.html directly. On a webserver is the
problem reproducible here. I just made you a screencast.

Attachments:
screencast-20140507-chromium-370363.mp4 698 KB

[chro...@googlecode.com]

Updates:
Labels: -Needs-Feedback Needs-Bisect

Comment #3 on issue 370363 by ligim...@chromium.org: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

(No comment was entered for this change.)

[chro...@googlecode.com]

Updates:
Status: Assigned
Owner: j...@chromium.org
Cc: nyerrami...@chromium.org
Labels: -Pri-2 -Type-Compat -Needs-Bisect Pri-1 Type-Bug-Regression M-34
OS-Windows

Comment #4 on issue 370363 by nyerrami...@chromium.org: autofill for forms
not deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

CHANGELOG URL:

http://build.chromium.org/f/chromium/perf/dashboard/ui/changelog.html?url=/trunk/src&range=248882%3A248901

Suspecting 248885

jww@, Would you mind checking the above issue & see if it's related, please
re-assign if it is not related to your change.

Able to reproduce this issue on Win7 also ,34.0.1847.137 (Official Build
268882) m

[chro...@googlecode.com]

Updates:
Cc: gca...@chromium.org

Comment #5 on issue 370363 by j...@chromium.org: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

It is certainly working-as-intended that Chrome now ignores
autocomplete='off' for password forms (a la issue 177288), and I'm positive
that's what enabled this behavior. So just to clarify, is the argument that
settings.html doesn't really contain a password-form per se (that is, it
contains a form which happens to have a password field, but it should be
considered a password-form for autofill purposes)? Or is there something
else going on that I'm missing?

You are certainly correct that we should still respect autocomplete='off'
for non-password forms, but I'm not sure what exactly counts as a
password-form vs non-password-form in this case. I'm CC'ing gcasto on this
who might be able to shed some light as well.

[chro...@googlecode.com]

Comment #6 on issue 370363 by andreas....@gmail.com: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

Just to clarfiy my situation: I have a form in which the user can change
his postal address. In the same form the user is able to change this online
data, like email, website and even his password, which must be entered two
times for validation purposes. That's why in my example settings.html are
two password fields.

Like in the example, the text field before the password field is
named "city", so the username doesn't make much sense in this field.

I don't know whats the point in issue #177288 because of a 403.
If it's really needed that Chrome ignores autocomplete="off", it's maybe
better the field names are stored, too. Then the values are autofilled only
if any form has the same fields.

[chro...@googlecode.com]

Updates:
Status: WontFix

Comment #8 on issue 370363 by j...@chromium.org: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

From comment #7, it sounds like this is WAI, so I'm going to mark as
WontFix. If you feel that this is in error and I've misunderstood, feel
free to reopen and explain my mistake.

I should also mention that if these two pages are hosted on the same domain
(which is the only way to get Password Autofill to recognize a connection
between them), then this wouldn't be a security vulnerability anyway, since
if a Bad Guy had control of the page that it gets filled on, they would
also have control of the other page (a la the Same Origin policy).

[chro...@googlecode.com]

Comment #9 on issue 370363 by caio...@gmail.com: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

Hi
I've got a issue reported in my application and when I looked for the root
cause of the issue I found this thread, related to the change made for
Chrome v34.

I understand the intended password autofill feature even if the application
sets autocomplete=off in form fields. A lot of sites I use I wish it was
possible to save the password, but the application does not allow it.

Back to the issue, and assuming it is the same issue raised in this thread,
in my application there is a form where the user inserts some data then
confirm its password so the form could be submitted.

Chrome is autofilling the password field and that is OK. But the previous
field, which is "city", is being autocompleted with the saved
username/email, even if the input tag has name="city" and not
name="username".

So as said in this thread there are a lot of reasons why Chrome intends to
remember user's password. But from version 34 Chrome is filling the
username/email into wrong fields.

Could you guys check that?
Thanks a lot

[chro...@googlecode.com]

Comment #10 on issue 370363 by val...@gmail.com: autofill for forms not
deactivatable
http://code.google.com/p/chromium/issues/detail?id=370363

I can confirm what "caio...@gmail.com" said
(https://code.google.com/p/chromium/issues/detail?id=370363#c9).

I've reproduced the same wrong behavior.

This is clearly a bug in Chrome. I hope you guys can address it as soon as
possible.

Tx

[chro...@googlecode.com]

Comment #11 on issue 370363 by cowe...@gmail.com: autofill for forms not
deactivatable
https://code.google.com/p/chromium/issues/detail?id=370363

Setting the autocomplete attribute to "off" does not disable Chrome
autofill in more recent versions of Chrome. Instead you must set
autocomplete on each input as follows

`<input autocomplete="smartystreets">`

you can set autocomplete to anything besides "on" or "off" and it will
disable Chrome autofill

[chro...@googlecode.com]

Comment #12 on issue 370363 by mahajan....@gmail.com: autofill for forms
not deactivatable
https://code.google.com/p/chromium/issues/detail?id=370363

no its still not working :(

[chro...@googlecode.com]

Comment #13 on issue 370363 by basz...@gmail.com: autofill for forms not
deactivatable
https://code.google.com/p/chromium/issues/detail?id=370363

Google sucks

[chro...@googlecode.com]

Comment #16 on issue 370363 by les.cbsi...@gmail.com: autofill for forms
not deactivatable
https://code.google.com/p/chromium/issues/detail?id=370363

We have a client that has agents log into a secure area. While in this
secure area, they create retail accounts for customers. Autofill is
assigning the agent's username to the customer's city field, and the
agent's password to the customer's password field. This only happens when
the agent is using Chrome.

[chro...@googlecode.com]

Comment #17 on issue 370363 by j...@chromium.org: autofill for forms not
deactivatable
https://code.google.com/p/chromium/issues/detail?id=370363

It sounds like we may have an autofill bug, and that should probably be
fixed. Can you please final a new bug with the example form (and even
better, a website we can test it)?

[chro...@googlecode.com]

Comment #18 on issue 370363 by jboe...@gmail.com: autofill for forms not
deactivatable
https://code.google.com/p/chromium/issues/detail?id=370363

When is this going to be fixed? It used to work with <form
autocomplete="off">