Selecting "Never for this site" when prompted to remember the password has no effect

[retrocaster]

Describe the Bug

Selecting "Never for this site" when prompted to remember the password has no effect

Steps To Reproduce

1. Go to https://investor.vanguard.com/my-account/log-on
2. Enter a User Name and Password and click "Log On"
3. When prompted with "Should Bitwarden remember this password for you?" select "Never for this website"
4. If you've logged in with an actual account, then log off
5. Repeat steps 1-2

Expected Result

After steps 1-3 you should never get the "Should Bitwarden remember this password for you?" again on the site

Actual Result

Every time you do steps 1-2 you get the "Should Bitwarden remember this password for you?" prompt

Environment

• Operating system: Windows 10
• Browser: Google Chrome Version 88.0.4324.182 (Official Build) (64-bit)
• Build Version 1.48.1

[kendratodd]

Thanks for the report @retrocaster! I was able to reproduce this and will make sure it's added to the backlog to be prioritized.

As an aside, or if it's of help to anyone else who sees this thread, I noticed that the reason the remember password prompt keeps popping up is because personal.vanguard.com gets added to the extension's excluded domains, rather than investor.vanguard.com. As a workaround to avoid the nuance of the repeated banner for now, you could add investor.vanguard.com to the excluded domain list manually.

[mgerdts]

Similarly, fidelity.com (aka oltx.fidelity.com) is fixed by adding digital.fidelity.com to the excluded domain list.

[zQueal]

I've been dealing with this issue for months. It's incredibly annoying and I'm very close to simply removing the damn extension to get rid of it.

Is there any update on this? It's been months?

[eliykat]

Hi @zQueal this is an issue that only affects some sites, so while it's on our triaged bugs list, it hasn't been actioned yet.

I can understand it's annoying though. Have you tried the workaround described above of adding the related site to the excluded domains list?

[zQueal]

I've seen this bug on hundreds of domains (literally, not figuratively), so clearly a workaround by adding each domain manually isn't going to work. I've completely solved the problem by removing and not using Bitwarden.

Prioritizing issues is cool and all, but not fixing an issue for over a year that's tantamount to nagware on the end user is a bit more friction than I can handle. 🤷‍♂️

[eliykat]

I understand and we'll take that feedback on board. Thanks for letting me know. Based on the original report, I didn't realise the issue was that widespread, and I definitely agree that trying to do it on a per-site basis at that scale isn't practicable.

For anyone else who is experiencing it on many sites, you can also disable the "save password" prompt in the browser extension's settings. (Again, not ideal, but maybe the lesser of two evils.)

[jlcfly]

In apps/browser/src/autofill/content/notification-bar.ts, line 112, I'm wondering about this line:

const excludedDomainsDict = globalSettings.neverDomains;

globalSettings comes from a function that calls chrome.storage.local.get with the "global" key. However, when I do this manually in the extension debugger, it returns an object with one key, "global", and then neverDomains is a subkey. In other words, I'm wondering if globalSettings.neverDomains should really beglobalSettings.global.neverDomains?

I can confirm the site is added to the Excluded Domains in the extension, however, it seems like it's not read from the domains, and this might be why. I'm no expert, though.

[retrocaster]

The solution proposed by @kendratodd above worked till recently, but now I'm getting prompts again.

I currently have the following in my excluded domains list: investor.vanguard.com logon.vanguard.com personal.vanguard.com web.vanguard.com

I've also tried adding: vanguard.com *.vanguard.com

There doesn't seem to be wildcard functionality and I'm not sure how to tell what new subdomain is being used. It's certainly nothing visible in the url.

[retrocaster]

Or perhaps there's no new subdomain and a recent change broke the excluded domain functionality? eg. https://github.com/bitwarden/clients/pull/6886 ? @jlcfly

[jlcfly]

On, yeah, I see that. That change changed it from userSettings to globalSettings. I don't think ANY excluded domain will work right now. Possibly anywhere globalSettings is referenced is problematic in that block of code. There's a couple of other lines that might be affected. As an aside, I see nothing in there about handling wildcards in excluded domains. It looks like a simple dictionary lookup based on an exact match of the domain name in your browser's address bar.

I'm pretty sure I know what the fix for this should be, but I don't have the environment set up for it, so I'm going to leave this to those that do. Hopefully someone will see this.

[evoactivity]

This is incredibly annoying. I'm a web developer and I have localhost and 127.0.0.1 in my excluded domains but every single time I login on a site or app I'm working on I get nagged to save the password.

@jlcfly if you could give me a hint on what the fix for this should be I would be willing to submit a PR myself to stop this. I see it so many times every single day I need it to stop!

[jlcfly]

@evoactivity, actually, good news! v2024.1.0 released a few days ago, which fixes this, thanks to @justindbaur. I just tried it out and can confirm I'm no longer getting the prompt every time.

[evoactivity]

That's good news indeed! I tried the latest version in firefox developer edition and I also confirm it's not prompting me anymore. Looking forward to updating it in my regular firefox!

[richardNZ16]

I still have this issue in 2024.5.2... I am trying to block Microsoft Planner domain as I am getting auto fill request when trying to populate the "Assign To" field, which is extremely annoying.

I've added "tasks.office.com" to the excluded domain list, but it has no effect...

[justindbaur]

Hi @richardNZ16 this GitHub issue is about the Auto-save a login feature we have. The issue you are having is with our inline autofill feature. The excluded domains list is used for the former of those two features but not the latter. We currently do not have a way to turn off the inline autofill for only certain sites. It is possible to fully disable the inline autofill menu (or make it so that it's only an icon until clicked).

What might be helpful to so you exlude the bing.com, hotmail.com, live.com, microsoft.com, msn.com, passport.net, windows.com, microsoftonline.com, office.com, office365.com, microsoftstore.com, xbox.com, azure.com, windowsazure.com equivalent domain rule we have. This would make it such that your login entries that look to be saved on microsoftonline.com wouldn't show up on a office.com site.

[richard-lee-863]

Thank you for the distinction there. I'll review my auto fill settings. Probably happy to just not auto fill and do it via keyboard shortcut when required.

[retrocaster]

This issue has resurfaced again with Vanguard. I currently have seven (!) exclusions:

investor.vanguard.com logon.vanguard.com personal.vanguard.com web.vanguard.com secure.vanguard.com personal1.vanguard.com dashboard.web.vanguard.com

Not sure what else to exclude as this list includes every visible url I've seen.

Why can't the pop up message just give me the option to exclude whatever domain the message is a part of? It's kind of ridiculous that this is made so difficult.