You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On sites with independent pages for username, password is filled for username.
Steps To Reproduce
Store an amazon.com password
Go to amazon.com
Use "Auto-fill with Bitwarden"
Expected Result
The username is populated.
Actual Result
The password is populated.
Additional Context
While this is technically a dup of #1173, it was closed without resolution, and I would like to suggest at least removing the default behavior of inserting the password unless the field can be identified as a password field. Even if you can't detect/autofill a username field, it shouldn't just blindly insert the password in an <input type="email" field. These fields in particular tend to be leaky. E.g. they get stored in the browser's autofill, are frequently wired to JS validation (including third-party ones), and often have event handlers that fire requests to e.g. check for an SSO integration on focus lost.
if(usernameFields.Any()==false){//for some pages with two-step login, we don't see a password field and don't display the autofill for non-manual requests. But if the user forces autofill, //let's assume it is a username field:if(isManualRequest&&!passwordFields.Any()&& _editTextsWithoutHint.Count ==1){
usernameFields.Add(_editTextsWithoutHint.First());}}
The text was updated successfully, but these errors were encountered:
Thanks for reporting this issue. Autofill problems can affect different sites, apps, or devices, and we’re working on improving this feature. To help us track and analyze affected sites, please lodge a report using the Google Form mentioned in this issue: #1389. Please also direct any discussion or questions to that issue. This issue will now be closed.
Describe the Bug
On sites with independent pages for username, password is filled for username.
Steps To Reproduce
Expected Result
The username is populated.
Actual Result
The password is populated.
Additional Context
While this is technically a dup of #1173, it was closed without resolution, and I would like to suggest at least removing the default behavior of inserting the password unless the field can be identified as a password field. Even if you can't detect/autofill a username field, it shouldn't just blindly insert the password in an
<input type="email"
field. These fields in particular tend to be leaky. E.g. they get stored in the browser's autofill, are frequently wired to JS validation (including third-party ones), and often have event handlers that fire requests to e.g. check for an SSO integration on focus lost.However, other password managers handle this by just assuming username when it can't be determined to be a password field. While this isn't bulletproof, it generally has the desired behavior. In the event that it's wrong, I think it's still more in keeping with the principle of least surprise. E.g. Keepass has this fallback when no associated password field is present:
https://github.com/PhilippC/keepass2android/blob/fcd3cddbc7c7b9d5ea2ca34940d051e3262b6c90/src/keepass2android/services/AutofillBase/StructureParser.cs#L130
The text was updated successfully, but these errors were encountered: