Unable to pick the correct fields for credentials in a particular site

[mestaritonttu]

Expected Behavior

Do not get trapped in some CSS hell.

Current Behavior

Search field is picked.

Steps to Reproduce (for bugs)

1. Navigate to https://www.asiakastieto.fi/
2. Click Choose own credential fields

Strangely the picking controls are also in the login section and you can access them after clicking "Dismiss". But I am unable to make the whole control section visible no matter how hard I tried to tweak the CSS in the dev tools.

General Info

KeePassXC fork - 2.3.0
keepassxc-browser - 1.0.0

Operating system: Arch Linux
Browser: Firefox 58.0.2
Proxy used: NO

[varjolintu]

Maybe this is because the whole site is wrapped inside an iframe. Have to do some more debugging.

[mnpenner]

I'm experiencing the same issue on one of my sites.

The "Username" field is not pickable. No iframes are used.

The HTML for the username field looks like

<input type="name" id="fakelogin" name="fakelogin" class="form-control" style="font-size:12px;padding:7px;width:80%" placeholder="Username" required="" autofocus="">

[varjolintu]

Thanks for these. I'm going to look at the issue today.

[varjolintu]

@mnpenner Have you been aware that HTML input type name is not a valid one. Of course we can add support for it but it's non-standard. I suggest you run your pages through a validator to see these kind of problems in time. See https://developer.mozilla.org/en-US/docs/Web/HTML/Element/Input.

[varjolintu]

@mestaritonttu It seems there's nothing I can do here even when I tried to make some nice hacks:

Uncaught DOMException: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Blocked a frame with origin "https://www.asiakastieto.fi" from accessing a cross-origin frame.

[mestaritonttu]

Ok, thanks for trying. Asiakastieto needs a spanking for constructing such a silly thing.

[varjolintu]

Actually they originally had the login in field in a div (it's commented out) but for some reason they've switched to iframe.

[mnpenner]

@varjolintu Hah...never noticed that. That code has been there forever. Thanks. I can fix that.

You might still consider making it less restrictive though, for all those sites outside our control.

Here's another example from tangerine.ca:

<input type="tel" name="login_pin" id="login_pin" class="input CB_DataMask ng-pristine ng-empty ng-invalid ng-invalid-required ng-valid-minlength ng-valid-maxlength ng-touched" ng-class="{warning:
              $ctrl.pinSectionForm.login_pin.$invalid &amp;&amp;
              $ctrl.pinSectionForm.login_pin.$touched &amp;&amp;
              $ctrl.pinSectionForm.login_pin.$dirty &amp;&amp;
              $ctrl.showErrorOn
            }" maxlength="6" minlength="4" numeric-input="" inputmode="numeric" in-view="$ctrl.pinInputInView($inview, $inviewInfo)" autofocus="" autofocus-device="ALL" autocomplete="off" ng-change="$ctrl.validateInput($ctrl.pinCredentials.PIN)" ng-keypress="$ctrl.onKeyPress($event)" ng-keyup="$ctrl.onNativeKeyPress($event)" ng-keydown="$ctrl.onNativeKeyPress($event)" ng-focus="$ctrl.onFocus()" ng-required="true" ng-blur="$ctrl.onBlur()" ng-model="$ctrl.pinCredentials.PIN" placeholder="4 or 6 digit Number" required="required" aria-invalid="true" data-cip-id="login_pin" style="">

It won't let me put my password into that box, presumably because its set to type="tel". I'm guessing they did this to get the number pad on mobile. They still masked input.

[varjolintu]

That's... a lot of code for a single input.

The extension currently supports the following input types: text, email, password, tel, number and discards any input if the type is not set at all.

[mnpenner]

¯\_(ツ)_/¯ That's Angular for you.

You could add an option to disable restrictions too. I'd personally prefer that it let me pick any field on the page. But I can see how highlighting everything might be less user-friendly, so making an option would be nice.

[varjolintu]

It could be an option to disable restrictions for a certain page, but of course not as default. Using it as a default option could be a serious risk to anyone who wish (for some reason) to use autofill.