Browser autofills master password and search box

[fthiery]

Hello there,

Using https://github.com/jhass/nextcloud-keeweb but i feel that here is a more appropriate place to describe this issue (as i don't know how nextcloud-keeweb could fix that).

When using nextcloud-keeweb under chrome/chromium/firefox

• the master password is pre-filled with the nextcloud main password
• upon completing the master password, the browser suggests to update the password saved for nextcloud
• after decrypting, the search box is filled with the username of nextcloud, hence hiding the actual passwords

Any ideas ? I see that autocomplete="off" is set on these fields already.

[antelle]

Hello!
Yes, it happens because of browsers autocomplete passwords on the same domain, and we can't turn it off with autocomplete=off. Obviously you should not save passwords for KeeWeb, so I'll add a workaround, we'll explicitly set the field value to empty on start.

[antelle]

btw, how to see it in Chrome? It happens only for Firefox for me.

[antelle]

Could you please update KeeWeb from beta and test if it helps?
And in future, we'll have a standard way to do it with autocomplete="new-password": https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

[fthiery]

@antelle about how to see it in Chrome, well nothing special, it just does (as long as you accepted Chrome to start remembering fields i guess); remember i'm not running keeweb alone, but within nextcloud, so i think that being on another website, chrome tries to autocomplete with the website's password.

Thanks for the tweak, could you apply the same workaround for the search field too ? I see your commit only applies to the master pwd.

I'll try to update KeeWeb to the latest beta, but i'm not sure how to do that with nextcloud-keeweb; also i'll have to deploy a test environment, or maybe running from whithin an iframe would be enough ?

[antelle]

Yes, I just put a random page with login/password form to the same domain as keeweb and saved a random password there. So, Firefox now doesn't prefill fields now, but I can't test it in Chrome because it doesn't prefill anything for me at all, so I can't be sure.
This fix is fixing both password and search fields: it screws the browser, so that it doesn't consider these fields as login form (I don't know why Firefox decided that search is actually a username field).
I guess, you can just put keeweb somewhere to your domain and test if it works: to be sure, you can put release first and make sure fields are prefilled, and then replace it with beta and see if it helps.

[fthiery]

Can you provide me with your test page file ? In the meantime i'm trying to rebuild nextcloud-keeweb on master.

[antelle]

It can be as simple as http://jsbin.com/filacoreri/edit?html,output

[fthiery]

Even stupider question, how do i put keeweb on the server ? I mean, the "web" version. Tried to put the app/ folder on a web server and open index.html, but i'm getting a 404 on app/css/main.css

Sorry, i'm completely new to electron/nodejs

[antelle]

you need to download built index.html from beta: wget beta.keeweb.info, or from app..

[fthiery]

Downloading beta.keeweb.info worked, but to be sure, where can i download the stable keeweb similarly ?

[antelle]

The same, but app.keeweb.info.

[fthiery]

Hmm, hard to be sure it replicates the issue. Going the nextcloud-keeweb build route to be sure.

[fthiery]

Finally succeeded by rebuilding the nextcloud app, i was misled by thinking that Master was the dev branch, but it was the "develop" branch.

An i can happily say that it fixes the problem on Chromium ! Thanks !

[antelle]

And in Firefox right? Then it will be released in the next release, v1.6.

[fthiery]

Sorry, didn't test, i just did and yes it works, although clicking on the field will suggest using the nextcloud password. But we can't do anything, right ?

[antelle]

We can't hide suggestions unfortunately... Once browsers implement this new API, autocomplete="new-password", these suggestions will disappear automatically. But I'm glad to hear it's working, thanks for help with testing!