TextInput: Password management browser extensions incompatible with shadow DOM #225
Comments
daneah
changed the title
|
This research suggests that adding the appropriate |
|
Short narrative on the user value and business risk: To me not supporting PW managers is almost a knock against our JSTOR brand and by extension pharos. It feels antiquated. Recent market research saying 20-24% of people use password managers. Also note that the “saved into browser” may also not work (did not for me on Firefox) and thats 24% from this first report. That means login is harder for everyone using pharos inputs for nearly 50% of users. This has lower usage numbers but from 2016 (6+ years old). And combining browsers as the password manager takes it to 30% |
|
I couldn't get any consistent behavior from the various browsers when trying the Chrome: Firefox: Webkit in various forms:
Getting a little support here and there for the browser's own password manager but its not consistent enough for me in any browser to say its at feature parity with non-shadow DOM elements |
|
For what it's worth, I've been following this thread since it's inception and have solved the issue for my Vue lib. I don't utilize your repo, but followed along to see how you talked through it. TL;DR password managers need to support traversing the shadow DOM when searching for valid elements, but most choose not to. I currently work mainly in Vue and have managed to get all password managers to work with components mounted within a shadow DOM by teleporting the elements out of the shadow DOM on mount with Vue's native This works for my scenario because I need to package my Vue components as native web components so that they can ship with their own version of Vue and other dependencies in the bundle that differ from the host application. I believe you could do the same with a React Portal. There are some necessary adjustments needed, such as explicitly scoping your component styles to a wrapper class, which prevent the styles from portentously leaking into the host application. (I did this utilizing In my own library, there are no vulnerabilities associated with the components "exiting" the isolation of the shadow DOM; however, this obviously isn't the case for every type of component. Edit: added some extra detail |
|
Thanks for the detailed tactic suggestions @adamdehaven! We'll take them under advisement. Because we're using Lit here I'm less sure of our faculties for a teleport/portal-esque approach; we'd potentially need to manage that ourselves if we hope to have consumers continue using these transparently agnostic of framework. |
|
Ah. I suggested React only because I saw it in your dependency tree. |
|
FWIW I explored the other, eh, "hacks" outlined above and can confidently say I wouldn't go that direction. Also, don't inject "hidden" HTML elements into the DOM to try and produce a workaround; it becomes a nightmare for users that utilize screen-readers and other assistive tech. |
We do provide light wrappers around the web components so that React plays a bit more nicely by default, but ultimately we're providing these to folks using React, Vue, Angular, and frameworkless. |
|
following along here too for my own design system of lit components. i’m thinking of an approach where the input/label are light dom children of a shadow dom component so that password managers can find the inputs. my concerns are how the value gets added and detecting that. i do t think there’s an event fired when the value is auto filled right? if there was, id add a listener to the light dom input and when it’s fired, copy the value into my shadow dom input or something. the cool thing about shadow dom and light dom children is that they aren’t shown if there no slot. so they would just need to be screen readers hidden in favor of the shadow dom input. so that just leaves figuring out if there’s an event to attach to, or something that a mutationobserver could observe. |
|
@michaelwarren1106 That's an interesting tactic! I'd hope there are still |
|
i suspect (without testing it at all) that password managers are just setting the value property directly, which won’t automatically emit any events. if the mgrs also manually emit events that would be great, but might be a security risk? of course all the password managers don’t have any dev docs describing how they work or listing events they emit etc |
|
It appears that something has been updated between 1Password and Chrome that allows for autofilling credential inputs within the shadow DOM. Pharos input edit: Looks like there was a recent 1Password fix highlighted in this post from 12/8 |
Expected behavior
When leveraging password management browser extensions (e.g. 1Password, LastPass), the browser plug in/extension can populate the un/pw fields so I don't have to manually enter.
Actual behavior
The browser extension doesn't recognize Pharos input fields to populate values.
Steps to reproduce the issue
Pharos version
Pharos v10.7.0
Your environment
Additional information
The assumption here is that because web components are not technically in the DOM, the browser extension doesn't have access/detect to the fields. This may not be something that needs direct attention/can be solved but more of a discussion on if this browser extension support is something to be desired.
The text was updated successfully, but these errors were encountered: