I realize this is an anti-phishing feature. However, I've been able to get around it with KeePassXC-Browser so there should be a way to get iFrames to work with PfP, at least with an Alias (a special feature of this extension).
The issue
Some important sites are using iFrames to display a window for entering login creds. The URL of the main page includes a subdomain and the iFrame has uses a different subdomain. The domains are the same.
This yields the anti-phishing message:
"The page has no password fields or the password fields belong to different site! ...."
Actual example
The login page at the browser was(is)
https://client.schwab.com/Login/SignOn/CustomerCenterLogin.aspx?&kc=y&sim=y
The above URL is different from that which comes up in the form. An iFrame is used for the form.
From UBlock Origin, the iFrame that comes up for the login form uses:
https://sws-gateway-nr.schwab.com/ui/host/#/login-one-step
For KeePassXC-Browser, the following works for the URL field stored in the kbdx file:
https://sws-gateway-nr.schwab.com/
Thus, this extension is able to find the password fields in the iFrame form.
I tried to set the URL field in the kdbx database to https://schwab.com/ for PfP but that wasn't recognized.
I believe that PfP sees client.schwab.com. The database entry in the kbdx file shows https://sws-gateway-nr.schwab.com/ . I tried to set up an Alias between these two and PfP returns the same phishing message. Of course, this because the main site indeed doesn't have password fields.
P.S.
I've noticed that in two cases where this doesn't work, the iFrame is set up to pass focus to the main site when the user clicks outside of the iFrame window, as when clicking on the PfP extension, or on a different site just by moving the mouse away from the area of the form. Moreover, Ctrl-Shift-F also loses focus to the main page.
I realize this is an anti-phishing feature. However, I've been able to get around it with KeePassXC-Browser so there should be a way to get iFrames to work with PfP, at least with an Alias (a special feature of this extension).
The issue
Some important sites are using iFrames to display a window for entering login creds. The URL of the main page includes a subdomain and the iFrame has uses a different subdomain. The domains are the same.
This yields the anti-phishing message:
"The page has no password fields or the password fields belong to different site! ...."Actual example The login page at the browser was(is)
https://client.schwab.com/Login/SignOn/CustomerCenterLogin.aspx?&kc=y&sim=yThe above URL is different from that which comes up in the form. An iFrame is used for the form. From UBlock Origin, the iFrame that comes up for the login form uses:
https://sws-gateway-nr.schwab.com/ui/host/#/login-one-stepFor KeePassXC-Browser, the following works for the URL field stored in the kbdx file:
https://sws-gateway-nr.schwab.com/Thus, this extension is able to find the password fields in the iFrame form.I tried to set the URL field in the kdbx database to
https://schwab.com/for PfP but that wasn't recognized.I believe that PfP sees
client.schwab.com. The database entry in the kbdx file showshttps://sws-gateway-nr.schwab.com/. I tried to set up an Alias between these two and PfP returns the same phishing message. Of course, this because the main site indeed doesn't have password fields.P.S. I've noticed that in two cases where this doesn't work, the iFrame is set up to pass focus to the main site when the user clicks outside of the iFrame window, as when clicking on the PfP extension, or on a different site just by moving the mouse away from the area of the form. Moreover, Ctrl-Shift-F also loses focus to the main page.