Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22338

Safari silently overwrites various username or password fields

    • Icon: Bug Bug
    • Resolution: Won't Fix
    • Icon: Trivial Trivial
    • credentials-plugin
    • Safari 6.1.1, MacOSX 10.8.5

      I am using Safari on Mac, and have it set it up to remember my username/password for the login screen.

      Now in various other (non-login) pages in Jenkins, there is a username or password field, and Safari overwrites those fields with my stored user info on each page load, even if they already contain other values. The only indication is that the fields are shown with a yellow background.

      This happens for example:

      • In the proxy configuration of Plugin Manager -> Advanced
      • When adding or EDITING a credential
      • When adding a credential of kind Certificate: the filename field is filled with my username, but the password field is not touched.
      • When going to Manage Credentials page, I have a "SSH username with private key" and a "Username with password" credential, and it replaces the username of the first, and the password field of the second entry

      It does NOT happen in some other places, for example the Jira Setup.

          [JENKINS-22338] Safari silently overwrites various username or password fields

          Happened to some of my users as well, and they inadvertently overwrote the user and password set for the perforce SCM with their Jenkins login data.

          Arnt Witteveen added a comment - Happened to some of my users as well, and they inadvertently overwrote the user and password set for the perforce SCM with their Jenkins login data.

          Jesse Glick added a comment -

          Most of these relate to the Credentials plugin so limiting it to that. The proxy configuration case is separate. I am not sure if there is any solution other than disabling credentials autofill in your browser (at least on the current site); it is up to each browser to do so only when it can be confident that it is entering the right username and password. In Chrome it works fine in my experience and I would not like the web application to disable it generally. In the case of the Credentials plugin it may make sense to disable autofill on these forms since you rarely want to enter the same credentials twice (though I have found it useful for demos).

          Jesse Glick added a comment - Most of these relate to the Credentials plugin so limiting it to that. The proxy configuration case is separate. I am not sure if there is any solution other than disabling credentials autofill in your browser (at least on the current site); it is up to each browser to do so only when it can be confident that it is entering the right username and password. In Chrome it works fine in my experience and I would not like the web application to disable it generally. In the case of the Credentials plugin it may make sense to disable autofill on these forms since you rarely want to enter the same credentials twice (though I have found it useful for demos).

          Marc Günther added a comment -

          I don't understand how Safari decides which fields to overwrite.

          For example on the page Manage Jenkins -> Configure Global Security I use the Project-based Matrix Authorization Strategy and it detects the "User/group to add" text field at the end as the one to put my login name. The html looks like this:

          <td colspan="3">
            User/group to add:
            <input id="id1826282text" type="text">
            <span class="yui-button yui-push-button " id="id1826282button" name="">
              <span class="first-child">
                <button type="button" tabindex="0" id="id1826282button-button">Add</button>
              </span>
            </span>
          </td>

          So it seems the only indication is, that there is a text containing the string "user" in front of an otherwise completely unusual textfield.

          BTW, Safari only does that if it also detects a password field on the same page, which in my case is way above on that page in the "Security Realm -> Crowd" setting. The html here looks like this:

          <tr nameref="radio-block-0" style="">
            <td class="setting-leftspace">&nbsp;</td>
            <td class="setting-name">Application Password</td>
            <td class="setting-main">
              <input name="crowd.applicationPassword" value="secret" class="setting-input " type="password">
            </td>
            <td class="setting-help"><a class="help-button" href="#" helpurl="/jenkins/plugin/crowd/help-global-apppassword.html" tabindex="9999"><img height="16" alt="Help for feature: Application Password" width="16" src="/jenkins/static/83dac1d3/images/16x16/help.png"></a></td>
          </tr>

          Here, at least, the field is of type password, it contains "password" in its name, and it has "password" in the string before it...

          I'm confused...

          Anyway, the problem is, that the "Configure Global Security" page is completely unusable in Safari, as it will overwrite the Crowd password every time. And, the layout being as broken as it is, you don't even notice, as the password field is somewhere outside the page on the far right...

          Marc Günther added a comment - I don't understand how Safari decides which fields to overwrite. For example on the page Manage Jenkins -> Configure Global Security I use the Project-based Matrix Authorization Strategy and it detects the "User/group to add" text field at the end as the one to put my login name . The html looks like this: <td colspan= "3" > User/group to add: <input id= "id1826282text" type= "text" > <span class= "yui-button yui-push-button " id= "id1826282button" name=""> <span class= "first-child" > <button type= "button" tabindex= "0" id= "id1826282button-button" >Add</button> </span> </span> </td> So it seems the only indication is, that there is a text containing the string "user" in front of an otherwise completely unusual textfield. BTW, Safari only does that if it also detects a password field on the same page, which in my case is way above on that page in the "Security Realm -> Crowd" setting. The html here looks like this: <tr nameref= "radio-block-0" style=""> <td class= "setting-leftspace" >&nbsp;</td> <td class= "setting-name" >Application Password</td> <td class= "setting-main" > <input name= "crowd.applicationPassword" value= "secret" class= "setting-input " type= "password" > </td> <td class= "setting-help" ><a class= "help-button" href= "#" helpurl= "/jenkins/plugin/crowd/help-global-apppassword.html" tabindex= "9999" ><img height= "16" alt= "Help for feature: Application Password" width= "16" src= "/jenkins/ static /83dac1d3/images/16x16/help.png" ></a></td> </tr> Here, at least, the field is of type password , it contains "password" in its name , and it has "password" in the string before it... I'm confused... Anyway, the problem is, that the "Configure Global Security" page is completely unusable in Safari, as it will overwrite the Crowd password every time. And, the layout being as broken as it is, you don't even notice, as the password field is somewhere outside the page on the far right...

          Daniel Beck added a comment -

          Marc: Please note that this affects several different components with different authors. For any reports to be effective, make sure to report each component independently (matrix-auth plugin, core for the update center proxy, crowd plugin, credentials plugin, ...).

          Daniel Beck added a comment - Marc: Please note that this affects several different components with different authors. For any reports to be effective, make sure to report each component independently (matrix-auth plugin, core for the update center proxy, crowd plugin, credentials plugin, ...).

          Marc Günther added a comment -

          Yea, I know, just trying to find out what we can actually do to prevent this thing from happening...

          As it seems that simply using autocomplete="off" does not work

          Marc Günther added a comment - Yea, I know, just trying to find out what we can actually do to prevent this thing from happening... As it seems that simply using autocomplete="off" does not work for Safari: http://stackoverflow.com/questions/22661977/disabling-safari-autofill-on-usernames-and-passwords nor for Chrome: https://code.google.com/p/chromium/issues/detail?id=370363#makechanges

          It's clearly Safari's problem

          Stephen Connolly added a comment - It's clearly Safari's problem

            stephenconnolly Stephen Connolly
            marc_guenther Marc Günther
            Votes:
            1 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: