palant / pfp

A simple and secure browser extension to be used with KeePass databases.
https://pfp.works/
Mozilla Public License 2.0
115 stars 14 forks source link

Login autofill on sites which use different pages for login and password #82

Closed ghost closed 5 years ago

ghost commented 6 years ago

Some sites are using different pages for login and password fields (within same url). At first page you provide login and on second one password. In that case auto-fill of login always fail as extension can't find password field and you have to copy it manually (filling password field on next page works).

Is there anything pfp can do to improve the workflow in such case?

palant commented 6 years ago

This requires website-specific logic, something that might be worth doing for popular websites. Any sites that you have in mind? Amazon recently switched to a new login flow, that's the biggest issue I am currently aware of. Microsoft login flow (includes live.com and various other domains) is also problematic.

ghost commented 6 years ago

I spot it on a few non-popular sites. Probably it's not worth creating site specific rules for them if no general solution is available.

palant commented 6 years ago

Could you list them nevertheless? Having this kind of flow on a small website is rather unexpected, unless they installed a generic solution which for some reason considers splitting login into multiple steps a good idea.

ghost commented 6 years ago

They're mostly financial related sites, examples: https://nettbanken.nordea.no/login/ https://ro.unicreditbanking.eu/en/login_form https://retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto?dse_operationName=LOGON https://www.pekao24.pl/ClientLogonUK.html

Maybe not small but very geography-dependent. Many banks are using some security-by-obscurity techniques which like to piss-off password managers. Anyway resolving it case by case doesn't scale.

palant commented 6 years ago

unicreditbanking.eu is actually the typical scenario - both username and password fields are present on the page, the latter merely being hidden initially. It probably works out of the box, or maybe it will with minimal changes.

Bank Pekao is very "special" as it also features a password input method which might work with our partial passwords fill-in but I wouldn't bet on it.

The other two should be doable, maybe I can figure out some heuristic for such websites that will work in most cases without requiring special code.

ghost commented 6 years ago

Other high-profile websites that are using this:

There are also a lot enterprise cloud services where you enter your user name on the cloud providers page and are then taken to your organization's (i.e. company/school) log in page.

Auronius commented 5 years ago

On https://paypal.com login autofill does not working right now.

palant commented 5 years ago

Yes, sknorr mentioned it above already. Amazon also had this split login process for a while but gave up on it apparently.

palant commented 5 years ago

Ok, the heuristic I have is now:

This works really well on unicreditbanking.eu. Still good but slightly less so on paypal.com because it won't focus the email field automatically, so one has to click it. santander.co.uk and send.firefox.com split the login process to two different pages, so you have to click "Fill in" again once you arrive on the next page (or copy the password manually, because send.firefox.com sends you to accounts.firefox.com which is off limits for Firefox extensions). And on pekao24.pl you have to click the client number field first, then "Fill in," then on the next page "Fill in" again (which actually works, despite partial password input).

palant commented 5 years ago

Noticed that Yandex is also affected by this issue. The new heuristic deals with it correctly without any further changes.

ghost commented 4 years ago

Not sure it makes sense to write this into a closed issue but I found two pages which are not yet properly handled by this system:

In addition, amazon.de have regressed to using the split login. However, Amazon at least works ok, as in: I have to auto-fill twice (user name, then password) but auto-fill works both times.


[1] shortened code for SAP, with spans, divs, labels and input[type=hidden] removed:

<form autocomplete="off" role="form" action="/saml2/idp/sso/accounts.sap.com" accept-charset="UTF-8" method="post">
  <fieldset>
    <input autocomplete="off" name="j_username" placeholder="E-Mail, ID, or Login Name" type="text">
  </fieldset>
  <button role="button" type="submit">Continue</button>
</form>

[2] code for Apple is weird because they seemingly use custom elements instead of a form:

<apple-auth>
  <sign-in>
    <input type="text" id="account_name_text_field" can-field="accountName" autocomplete="off" autocorrect="off" autocapitalize="off" required="required" spellcheck="false" placeholder="Apple&nbsp;ID" autofocus="">
    <input type="password" id="password_text_field" required="required" can-field="password" autocomplete="off" placeholder="Password" tabindex="-1">
    <input type="checkbox" id="remember-me">
    <button id="sign-in" tabindex="0" disabled="">Continue</button>
    <button id="sign-in-cancel" tabindex="0">Close</button>
  </sign-in>
</apple-auth>