Autosubmit form by emitting Enter keypress

[ipundit]

General information

• Operating system + version: Windows 10 64 bit
• Browser + version: Chrome 67.0.3396.99 64 bit
• Information about the host app:
  • How did you install it: Prebuilt binary
  • If installed an official release, put a version: 2.0.21
• Information about the browser extension: Chrome webstore

---

Google requires you to authenticate with your email and password in two separate steps, and it's fooling browserpass:

Exact steps to reproduce the problem

1. Check Automatically submit forms after filling in the Chrome extension options
2. Browse to https://accounts.google.com/ServiceLogin/signinchooser
3. Click Use another account
4. Ctrl+Shift+L and select a login to fill
   • Bug: The form is submitted, but the browser is redirected to an error page stating: "405. That’s an error. The requested URL was not found on this server. That’s all we know."
5. Repeat steps 1-3, but manually type in your email that was to be auto-submitted and click Next. You are now presented with a form to put in your password.
6. Ctrl+Shift+L and select a login to fill
   • Bug: the password is filled in, but the form is not submitted
7. Press enter to login. This works, but should not be necessary when Automatically submit forms after filling is selected

[erayd]

@maximbaz What are your thoughts regarding a multi-submit login workflow?

Obviously the error page is a problem, but more generally, should we ever auto-submit multiple pages, or is this too dangerous? If we do it, should it be site-specific, or more generalised logic that tries to work for everything (I reckon that if we do it, it should be the latter).

[erayd]

Ignore the close sorry - typing on my phone and bumped the wrong button. I've reopened it.

[maximbaz]

We have recently discussed the multi-submit login workflow and also agreed to implement it, good timing 🙂

I think it should be generalized, and I think we should allow auto-submit if user configured so, it is easy to disable it on per-site basis if needed.

Now, to the failing auto-submit on Google. I was hoping to say that it would be fixed with #261, but looks like it won't - Google simply doesn't follow the standards and doesn't mark that this button is a submit button for the login form, so we don't know which button to click. And we don't want browserpass to click on wrong buttons on a webpage. We'll look closely when we get to this issue, but I have a feeling it won't be fixed, unfortunately.

[ipundit]

LastPass toggles auto-submit on a per login basis rather than a per site basis. If auto-submit is toggled on, it fills in the login form as soon as you browse to it and clicks the submit button for you. This allows you to never have to enter any credential to login to a site - nice, except in the case where you have multiple logins for a site. Toggling auto-login for all the logins except the one you want to use as the default login allows you to login without credentials most of the time.

When I want to login as another user after LastPass has logged me in, I immediately logout of the site and LastPass' auto-login feature is disabled for that site for a minute or so (I'm not exactly sure how long its timeout is). Then I can choose the other login as usual and click the login button. If this ends up happening too often, I either change which login acts as the default login, or disable auto-login for all the logins of that site. In either case, a per-login rather than per-site auto-login toggle is necessary.

As for the Google case, can you click the button if there is only one button on a page? By the process of elimination, that one single button must be the login button :).

Failing that, how about clicking the button with the text "Login" or in Google's case, "Next"?

Failing that, how about entering the password into the password field, followed by an [enter]? Google, and probably other sites have programmed the login button to be the default button clicked when the user presses [enter].

[maximbaz]

It is per-login in browserpass as well, not per-site, sorry for confusion (plus a global toggle). Except you still have to select the credentials manually, no magic is happening, so auto-submit is truly only "clicking the submit button after I select credentials".

I'm not fan of clicking any unknown buttons, regardless of how many they are. To be precise, Google sign-in page has 0 <button> tags on the page, for the login button they use <div role=button>, and there are 4 such divs on the page. Selecting by text in the button can also lead to false positives, and requires localization support.

But I like the last idea, automatically pressing Enter. I'm not sure if it is possible, but definitely worth investigating! We already have the logic that when a submit button is not found, we focus the password field specifically so that a user can just press Enter, but somehow I never thought of pressing the Enter for user as well.

Thanks for all the ideas 👍

[ipundit]

What we really need is the button id, which in this case, is <div id="passwordNext"> and is highly specific to this particular Google login page. A per-login page lookup table would then be necessary to handle these exception cases, which is impractical to set up for the whole Internet.

So why don't you let the user set up his own look up table?

1. User auto-fills and attempts to auto-login to a site, say Google in this example. It fails to auto-login.
2. User immediately clicks the login button, because that is his goal. It is highly improbable that he will click any other button than the login button right after a failed auto-login.
3. On button click, browserpass gets the id of the clicked button and records a URL->submit-button-id mapping in a local database
4. The next time the user tries auto-logging in, browserpass looks up the URL->submit-button-id mapping, and clicks the right button to log in

This means every user will have to manually login to a website once to train the auto-login feature.

Version 2 of this idea would be to crowdsource and aggregate everybody's URL->submit-button-id mapping:

1. User auto-fills and attempts to auto-login to a site, say Google in this example. It fails to auto-login.
2. User immediately clicks the login button, because that is his goal.
3. On button click, browserpass gets the id of the clicked button and sends the URL->submit-button-id mapping to a centralized database.
4. Browserpass downloads and caches this centralized database.
5. The next time the user tries auto-logging in, browserpass looks up the URL->submit-button-id in this cached database, and clicks the right button.

This means a website will only have to be manually logged in once by anyone in the world to benefit everybody else. This database would also be useful for research purposes, to find out which ids are used to identify a login submit button, and which login pages are used most often. If a pattern among the ids could be found with sufficient data points, then the general submit-button identification algorithm could be enhanced with that knowledge to decrease the size and need for this exception database.

There are performance, privacy and security concerns with having a centralized database of submit form meta-data. One solution is to use volunteers to vet submitted mappings before distributing them to the world. Another solution is to use a voting mechanism: if enough people agree (ie submit the same) URL->submit-form id mapping, then that mapping could be considered trusted or worthy of human review before global distribution.

Version 3 of this idea is to extend form filling support to all types of forms, especially for eCommerce sites where they want you to fill in your contact and purchase information. There's no standard for identifying these fields, but if you have a sufficiently large data set of form-ids and know which forms are filled out most often, then you can focus your development and test resources on the 20% of forms that 80% of the world commonly uses.

[maximbaz]

The issue with Google login will probably be solved by triggering an Enter keypress event, and together with #261 browserpass will be able to correctly submit 99% of forms. Let's see then which websites will still have issues.

Currently I'm not sure that implementing lookup tables for button selectors is worth time investments for that limited amount of the completely broken forms that don't follow the stardards of marking the form buttons correctly, have no form submit action assigned and don't react on Enter keypress, especially if we also account for time on maintaining the larger and more complex codebase.

As for supporting more form fields, that we will have at some point, tracked by #187.

[maximbaz]

Multi-step authentication will be tracked by #286, this ticket will track submitting forms by emitting Enter keypress.

[maximbaz]

Implemented in 3.0.2, also see #331. Sadly only works in Chromium, not in Firefox.