Page MenuHomePhabricator

MediaWiki user and password fields should have the proper autocomplete value
Open, Needs TriagePublic

Description

Username fields should have autocomplete="username". Password fields should have autocomplete="current-password". Password and retype fields where the user is supposed to enter a new password should have autocomplete="new-password". Spec, Chromium guidelines. This will make using browsers' built in password managers a better experience.

See also T263800: Implement .well-known/change-password redirect on Wikimedia sites.

Event Timeline

Change 630357 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Add autocomplete HTML attribute to common auth form fields

https://gerrit.wikimedia.org/r/630357

Current behavior in Chrome 85:

  • login form: username + password autofilled, password selection form is offered (ie. works as the user would expect)
  • new password forms (change password special page, forced password change on login): same behavior as login form. There is no autocomplete for the retype field at all.

With the patch:

  • login form: no change
  • new password forms: the username offers the user's stored email addresses; password field offers password selection form with an extra "suggest password" option, password is copied to retype field when selected.

With the patch, but with no "username" hint on the username field in account creation:
the username only offers form history values; password field offers password selection form with an extra "suggest password" option; password is not copied to retype field when selected.

Change 630359 had a related patch set uploaded (by Gergő Tisza; owner: Gergő Tisza):
[mediawiki/core@master] Add hidden username to password change forms

https://gerrit.wikimedia.org/r/630359

Change 630357 merged by jenkins-bot:
[mediawiki/core@master] Add autocomplete HTML attribute to common auth form fields

https://gerrit.wikimedia.org/r/630357

Change 630359 merged by jenkins-bot:
[mediawiki/core@master] Add hidden username to password change forms

https://gerrit.wikimedia.org/r/630359

I'd like to test the behavior more and maybe file some bug reports / support questions with browser if I ever get around to it. The code change is complete but at a glance it did not seem to have all the effects I hoped. (For example, if you log in with a weak password and get the password change dialog, Chrome won't offer generating a new password, even though as far as I can see the form follows all their recommendations.)

Hello,
I'm a first time contributor here. I would like to work on this issue. Can someone please guide me?

Thanks,
Sam

@Sam1905571 I think the easy part is already done (apologies, I forgot to update the tags). That said if you are interested in proceeding with the task, the next step would be testing the various password forms (login, login with a weak password, signup, password change) in Chrome and checking how much they work as it's expected - does Chrome offer to generate a random password for new password fields? Does it retrieve a saved password for the old password fields? Does it properly save passwords?

@Tgr Thank you for responding. I will start testing the feature on Chrome and get back with observations.