"Auto-fill on page load" should not fill fields with autocomplete="new-password"

gabrielfin commented 8 months ago

Steps To Reproduce

Enable "Auto-fill on page load"
Create an entry for https://gabrielfin.github.io/autocomplete-new-password.html
Restart Firefox
Log-in to Bitwarden extension and access the URL

Expected Result

The password field should not be auto-filled on page load, since it contains the attribute autocomplete="new-password"

This was a feature, see https://github.com/bitwarden/clients/pull/1400

Actual Result

The new password field is auto-filled

Screenshots or Videos

No response

Additional Context

This did not occur in previous versions (for example, I'm sure it didn't happen at least in 2023.7.1)

Operating System

Linux

Operating System Version

No response

Web Browser

Firefox

Browser Version

123.0

Build Version

2024.1.1

Issue Tracking Info

[X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

Neonwarden commented 8 months ago

Hi there,

Thank you for your report!

I have flagged this to our engineering team.

If you wish to add any further information/screenshots/recordings etc., please feel free to do so at any time - our engineering team will be happy to review these.

Thanks once again!

sdimarzo commented 7 months ago

With version 2024.2.0 I'm unable to replicate the bug

gabrielfin commented 7 months ago

It keeps happening for me in version 2024.2.0

I think a browser restart is required after step 1. And it might only happen in Firefox. I could not replicate it in Chromium.

threema-danilo commented 1 week ago

This is probably broken in general, see https://github.com/bitwarden/clients/issues/11507

cagonzalezcs commented 1 week ago

Wanna chime in here and first say that I think this topic is a good one to discuss and a concern that the autofill feature needs to improve upon.

I think the answer to this "bug" is more complex than just simply "disallowing" autofill on fields that contain autocomplete="new-password". In an ideal world, it would 100% make sense for us to guard against inserting the password into form fields that contain that attribute.

Unfortunately, we don't live in an ideal world and we can easily find examples out in the wild where the autocomplete attribute is misused in either a intentional or non-intentional manner.

Take for example the form on https://account.humana.com/. The password field contains an autocomplete="new-password" attribute, which would not be able to be filled if we guarded against filling of this attribute.

I'm willing to bet most technical users are going to be quick to state that "they didn't follow the spec, the website needs to correct itself." I absolutely agree with that sentiment, as I'm also a technical user.

The vast majority of users are going to say "Bitwarden didn't autofill my password into this login form, so Bitwarden must be broken". They wouldn't be wrong about that either.

So yeah, the sentiment above is not to say we won't fix this issue or look for a better way to represent the autocomplete spec. However, there are complications with trying to find a solution that makes sense from an end user perspective.

For now, please just know that the team is not ignoring this concern and has in fact been spending time thinking about better approaches to qualifying form fields for autofill. We'll keep working on improvements and will come back to this thread when we have some better answers to this "bug".

bitwarden / clients