arachnys / cabot

Self-hosted, easily-deployable monitoring and alerts service - like a lightweight PagerDuty
MIT License
5.6k stars 592 forks source link

[Chromium] "Add HTTP check" form gets unrelated log-in creditials auto-filled for HTTP auth #605

Closed hartwork closed 6 years ago

hartwork commented 6 years ago

When I choose to save log-in credentials after log-in in Chromium, next time I create a new HTTP check at /httpcheck/create/ that very user name and password are auto-filled in the HTTP auth fields because they use the same HTML IDs. That's rather annoying as these credentials are unrelated. For a fix I suppose either the log-in form or the HTTP auth fields would need a rename.

Thanks in advance!

dbuxton commented 6 years ago

Sounds more like a bug/deficiency in Chromium password manager than Cabot form tbh. I don't think a crazy idea to rename but I can't see it being worth the effort.

hartwork commented 6 years ago

The issue is very annoying and someone may provide a pull request to fix it. I'd provide one myself if the form code was easier to adjust, maybe I find a way later. I doubt I'm the only one using Chromium who saved the password and is bugged by this issue. You are not using Chromium or not saving passwords? Please re-open. Thank you.

dbuxton commented 6 years ago

I don't think it's an application issue so much as a UX issue with Chromium's password manager. (I use a different one which only autofills when you press a hotkey).

A lot of people seem to agree that it's not great: https://bugs.chromium.org/p/chromium/issues/detail?id=370363#c7

I'd be open to a solution that involved disabling autofill on those inputs (using something like autocomplete="new-password") but I don't think changing the id or name of the input is a great idea as it will almost certainly break the forms and require some additional complexity...

hartwork commented 6 years ago

I played a bit with this myself now. I can confirm that autocomplete="off" is ignored, fool-the-browser trick autocomplete="something-invalid" does not work, putting two hidden fields in front does not work either. autocomplete="new-password" seems to work well and does not seem to cause any harm I would be aware of. You sound like you'd be okay with giving that a shot. Please check out #609.

PS: I can also confirm that Chroiums logic is: Find password field, insert username into field before. Whatever it's called. Very smart :smile: And renaming fields didn't change a thing. Fun ride :smile: