Status: Available Owner: ---- Labels: Type-Bug Pri-2 OS-All Area-WebKit Area-BrowserUI
New issue 28910 by [email protected]: Password saving on sites that swap out clear text passwords with hashes doesn't work http://code.google.com/p/chromium/issues/detail?id=28910 Some sites, such as LiveJournal.com, have javascript that listens for submit events and clears the text in the password field and sets an MD5 (etc) challenge response in a hidden field on the page. example JS found: var pass = pass_field.value; var chal = chal_field.value; var res = MD5(chal + MD5(pass)); resp_field.value = res; pass_field.value = ""; // dont send clear-text password! This gets processed before the WebCore::FrameLoader is told to submit the form, which makes sense because the intent is that the form being submitted doesn't contain the clear text password. Since we listen for 'willSubmitForm' events, by the time this event bubbles up to the password manager layer, the password field is empty. I'm filing this as Area-Webkit, because to fix this we need to come up with a different way at the glue layer of grabbing the password field value. I don't know what else is available at the moment, short of watching input to the fields when we detect a password form is present. We already do this for password autocomplete once we have determined we have data to autofill. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
