Bug 1330228 - Use hasBeenTypePassword in FormData.jsm to not save former password fields. r=Felipe
authorMatthew Noorenberghe <mozilla@noorenberghe.ca>
Fri, 21 Dec 2018 16:56:15 +0000
changeset 508848 443b0e20be2216655fcd4c0ab32287282014c697
parent 508847 fa89cf35d16f3402c60e204836d533f2e9cb36e1
child 508849 3a8931f714f386241fc3a733cbc769e15769acdc
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersFelipe
bugs1330228
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1330228 - Use hasBeenTypePassword in FormData.jsm to not save former password fields. r=Felipe Differential Revision: https://phabricator.services.mozilla.com/D15208
browser/components/sessionstore/test/browser.ini
browser/components/sessionstore/test/browser_formdata_password.js
browser/components/sessionstore/test/file_formdata_password.html
toolkit/modules/sessionstore/FormData.jsm
--- a/browser/components/sessionstore/test/browser.ini
+++ b/browser/components/sessionstore/test/browser.ini
@@ -95,16 +95,18 @@ skip-if = !e10s || !crashreporter
 skip-if = !e10s || !crashreporter
 [browser_dying_cache.js]
 skip-if = (os == 'win') # bug 1331853
 [browser_dynamic_frames.js]
 [browser_formdata.js]
 skip-if = (verify && debug)
 [browser_formdata_cc.js]
 [browser_formdata_format.js]
+[browser_formdata_password.js]
+support-files = file_formdata_password.html
 [browser_formdata_xpath.js]
 [browser_frametree.js]
 [browser_frame_history.js]
 skip-if = (verify && (os == 'win' || os == 'mac'))
 [browser_global_store.js]
 [browser_history_persist.js]
 [browser_label_and_icon.js]
 [browser_merge_closed_tabs.js]
new file mode 100644
--- /dev/null
+++ b/browser/components/sessionstore/test/browser_formdata_password.js
@@ -0,0 +1,51 @@
+"use strict";
+
+/**
+ * Ensures that <input>s that are/were type=password are not saved.
+ */
+
+const URL = "https://example.com/browser/browser/components/" +
+            "sessionstore/test/file_formdata_password.html";
+
+add_task(async function test_hasBeenTypePassword() {
+  let tab = BrowserTestUtils.addTab(gBrowser, URL);
+  let browser = tab.linkedBrowser;
+  await promiseBrowserLoaded(browser);
+
+  await ContentTask.spawn(browser, {}, async function fillFields() {
+    let doc = content.document;
+
+    doc.getElementById("TextValue").setUserInput("abc");
+
+    doc.getElementById("TextValuePassword").setUserInput("def");
+    doc.getElementById("TextValuePassword").type = "password";
+
+    doc.getElementById("TextPasswordValue").type = "password";
+    doc.getElementById("TextPasswordValue").setUserInput("ghi");
+
+    doc.getElementById("PasswordValueText").setUserInput("jkl");
+    doc.getElementById("PasswordValueText").type = "text";
+
+    doc.getElementById("PasswordTextValue").type = "text";
+    doc.getElementById("PasswordTextValue").setUserInput("mno");
+
+    doc.getElementById("PasswordValue").setUserInput("pqr");
+  });
+
+  // Remove the tab.
+  await promiseRemoveTabAndSessionState(tab);
+
+  let [{state: {formdata}}] = JSON.parse(ss.getClosedTabData(window));
+  let expected = [
+    ["TextValue", "abc"],
+    ["TextValuePassword", undefined],
+    ["TextPasswordValue", undefined],
+    ["PasswordValueText", undefined],
+    ["PasswordTextValue", undefined],
+    ["PasswordValue", undefined],
+  ];
+
+  for (let [id, expectedValue] of expected) {
+    is(formdata.id[id], expectedValue, `Value should be ${expectedValue} for ${id}`);
+  }
+});
new file mode 100644
--- /dev/null
+++ b/browser/components/sessionstore/test/file_formdata_password.html
@@ -0,0 +1,17 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+  </head>
+  <body>
+    <!-- Text/Password in the name indicates the type and the position of 'Value'
+         indicates when the value gets set relative to the type changes. -->
+    <input id="TextValue">
+    <input id="TextValuePassword">
+    <input id="TextPasswordValue">
+
+    <input id="PasswordValueText" type="password">
+    <input id="PasswordTextValue" type="password">
+    <input id="PasswordValue" type="password">
+  </body>
+</html>
--- a/toolkit/modules/sessionstore/FormData.jsm
+++ b/toolkit/modules/sessionstore/FormData.jsm
@@ -156,19 +156,19 @@ var FormDataInternal = {
       let value;
 
       // Only generate a limited number of XPath expressions for perf reasons
       // (cf. bug 477564)
       if (!node.id && generatedCount > MAX_TRAVERSED_XPATHS) {
         continue;
       }
 
-      // We do not want to collect credit card numbers.
+      // We do not want to collect credit card numbers or past/current password fields.
       if (ChromeUtils.getClassName(node) === "HTMLInputElement") {
-        if (CreditCard.isValidNumber(node.value)) {
+        if (CreditCard.isValidNumber(node.value) || node.hasBeenTypePassword) {
           continue;
         }
       }
 
       if (ChromeUtils.getClassName(node) === "HTMLInputElement" ||
           ChromeUtils.getClassName(node) === "HTMLTextAreaElement" ||
           (node.namespaceURI == this.namespaceURIs.xul && node.localName == "textbox")) {
         switch (node.type) {