7

Recipes that allow login credentials to be used across multiple domains (i.e., r...

 3 years ago
source link: https://bugzilla.mozilla.org/show_bug.cgi?id=1120684
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Open Bug 1120684 Opened 6 years ago Updated 23 days ago

Recipes that allow login credentials to be used across multiple domains (i.e., realms)

Categories

(Toolkit :: Password Manager, enhancement, P2)

Toolkit ▾
Password Manager ▾

Tracking

(ASSIGNED bug which should be worked on in the next release/iteration)

ASSIGNED

People

(Reporter: ckarlof, Assigned: tgiles)

References

(Depends on 1 open bug, Blocks 5 open bugs,

URL
)

Details

(Whiteboard: [passwords:recipes])

User Story

Sites that could still benefit from this:
* Country code TLDs (aka. ccTLDs): ADP, airBNB, Ancestry, eBay, Amazon, TicketMaster, Eventbrite, eHarmony, FourSquare, GlassDoor, Yelp, etc.
* Microsoft: login.live.com, login.microsoftonline.com
* Comcast/Xfinity: comcast.net, xfinity.com

MIT Licensed list: https://github.com/apple/password-manager-resources/blob/master/quirks/websites-with-shared-credential-backends.json
Some web sites span multiple origins, and the same login credentials can be used to authenticate oneself at all of the origins. I call this the "authentication realm" problem. It comes up in multiple contexts, including:

* the realm allows login on http and https pages
* the realm allows login from multiple subdomains
* the realm allows login from completely different domains

Currently, the password manager will store duplicate entries for each of the origins, which is not ideal, particularly if the credentials ever change.

This is bug is to support recipes to indicate that a set of origins should be treated as "the same" by the password manager for indexing, capturing, and filling purposes.
Two things worry me:
* An evil recipe could steal your passwords from a target site. Are these recipes written/reviewed/released as part of Firefox?
* A recipe that equates origins with different security properties makes users less secure. Especially http vs https.
Whiteboard: [passwords:recipes]
(In reply to Jesse Ruderman from comment #1)
> Two things worry me:
> * An evil recipe could steal your passwords from a target site. Are these
> recipes written/reviewed/released as part of Firefox?
> * A recipe that equates origins with different security properties makes
> users less secure. Especially http vs https.

I would assume that the user is responsible for umtimately grouping domains together.
The Browser should do nothing but maybe give suggestions that need approval.

We already use the credentials for the non-encrypted version of a website on the encrypted counterpart.
Password changes are not synced back so new password won't be aautomatically submitted on the insecure part.
Type: defect → enhancement
Priority: -- → P3

Safari has this concept already and stores their recipes in the DomainsWithAssociatedCredentials key of WBSAutoFillQuirks.plist that ships with Safari.

This list will also be very useful for duplicate checking (bug 1118553) as a login probably shouldn't be considered a duplicate if the same credential is currently saved on two domains for the same "realm".

Blocks: 1118553
User Story: (updated)
User Story: (updated)

As a first step, is it crazy to grab the duplicate list from LastPass? It has a built in list that we could probably use, if the lawyers give it the OK.

It'd be nice for FF to have this list built in at the outset.

Getting a list of these sites from some external source is something we will consider.

For our future reference https://support.logmeininc.com/lastpass/help/duplicate-stored-passwords-across-multiple-sites-lp040007 talks about the default global list the LastPass has.

Mentioning this here from a related bug (Bug 1639737):

...it seems reasonable that if/when we implement realm support, we could provide a way for users to add their own realms if they would like to associate a login with multiple domains...

Comment hidden (spam)

Attachment #9154440 - Attachment is obsolete: true
Attachment #9154440 - Flags: ui-review+
Attachment #9154440 - Flags: sec-approval?
Attachment #9154440 - Flags: review+
Attachment #9154440 - Flags: feedback+
Attachment #9154440 - Flags: data-review+
Attachment #9154440 - Flags: checkin+
Attachment #9154440 - Flags: approval-mozilla-release?
Attachment #9154440 - Flags: approval-mozilla-esr68?
Attachment #9154440 - Flags: approval-mozilla-beta?
Attachment #9154440 - Flags: a11y-review+
Assignee: nobody → tgiles
Status: NEW → ASSIGNED
Priority: P3 → P2
Attachment #9177498 - Attachment description: Bug 1120684 - Allow autocomplete to use related realm credentials. → Bug 1120684 - Allow autocomplete to use related realm credentials. r=sfoster!,leplatrem!,dimi

Comment on attachment 9199383 [details]
Bug 1120684 - Add websites-with-shared-credential-backends dump to tree. r=leplatrem

Revision D103105 was moved to bug 1687996. Setting attachment 9199383 [details] to obsolete.

Attachment #9199383 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK