-
Notifications
You must be signed in to change notification settings - Fork 80
Autosubmit form by emitting Enter keypress #271
Comments
@maximbaz What are your thoughts regarding a multi-submit login workflow? Obviously the error page is a problem, but more generally, should we ever auto-submit multiple pages, or is this too dangerous? If we do it, should it be site-specific, or more generalised logic that tries to work for everything (I reckon that if we do it, it should be the latter). |
Ignore the close sorry - typing on my phone and bumped the wrong button. I've reopened it. |
We have recently discussed the multi-submit login workflow and also agreed to implement it, good timing 🙂 I think it should be generalized, and I think we should allow auto-submit if user configured so, it is easy to disable it on per-site basis if needed. Now, to the failing auto-submit on Google. I was hoping to say that it would be fixed with #261, but looks like it won't - Google simply doesn't follow the standards and doesn't mark that this button is a submit button for the login form, so we don't know which button to click. And we don't want browserpass to click on wrong buttons on a webpage. We'll look closely when we get to this issue, but I have a feeling it won't be fixed, unfortunately. |
LastPass toggles auto-submit on a per login basis rather than a per site basis. If auto-submit is toggled on, it fills in the login form as soon as you browse to it and clicks the submit button for you. This allows you to never have to enter any credential to login to a site - nice, except in the case where you have multiple logins for a site. Toggling auto-login for all the logins except the one you want to use as the default login allows you to login without credentials most of the time. When I want to login as another user after LastPass has logged me in, I immediately logout of the site and LastPass' auto-login feature is disabled for that site for a minute or so (I'm not exactly sure how long its timeout is). Then I can choose the other login as usual and click the login button. If this ends up happening too often, I either change which login acts as the default login, or disable auto-login for all the logins of that site. In either case, a per-login rather than per-site auto-login toggle is necessary. As for the Google case, can you click the button if there is only one button on a page? By the process of elimination, that one single button must be the login button :). Failing that, how about clicking the button with the text "Login" or in Google's case, "Next"? Failing that, how about entering the password into the password field, followed by an [enter]? Google, and probably other sites have programmed the login button to be the default button clicked when the user presses [enter]. |
It is per-login in browserpass as well, not per-site, sorry for confusion (plus a global toggle). Except you still have to select the credentials manually, no magic is happening, so auto-submit is truly only "clicking the submit button after I select credentials". I'm not fan of clicking any unknown buttons, regardless of how many they are. To be precise, Google sign-in page has 0 But I like the last idea, automatically pressing Enter. I'm not sure if it is possible, but definitely worth investigating! We already have the logic that when a submit button is not found, we focus the password field specifically so that a user can just press Enter, but somehow I never thought of pressing the Enter for user as well. Thanks for all the ideas 👍 |
What we really need is the button id, which in this case, is So why don't you let the user set up his own look up table?
This means every user will have to manually login to a website once to train the auto-login feature. Version 2 of this idea would be to crowdsource and aggregate everybody's URL->submit-button-id mapping:
This means a website will only have to be manually logged in once by anyone in the world to benefit everybody else. This database would also be useful for research purposes, to find out which ids are used to identify a login submit button, and which login pages are used most often. If a pattern among the ids could be found with sufficient data points, then the general submit-button identification algorithm could be enhanced with that knowledge to decrease the size and need for this exception database. There are performance, privacy and security concerns with having a centralized database of submit form meta-data. One solution is to use volunteers to vet submitted mappings before distributing them to the world. Another solution is to use a voting mechanism: if enough people agree (ie submit the same) URL->submit-form id mapping, then that mapping could be considered trusted or worthy of human review before global distribution. Version 3 of this idea is to extend form filling support to all types of forms, especially for eCommerce sites where they want you to fill in your contact and purchase information. There's no standard for identifying these fields, but if you have a sufficiently large data set of form-ids and know which forms are filled out most often, then you can focus your development and test resources on the 20% of forms that 80% of the world commonly uses. |
The issue with Google login will probably be solved by triggering an Enter keypress event, and together with #261 browserpass will be able to correctly submit 99% of forms. Let's see then which websites will still have issues. Currently I'm not sure that implementing lookup tables for button selectors is worth time investments for that limited amount of the completely broken forms that don't follow the stardards of marking the form buttons correctly, have no form submit action assigned and don't react on Enter keypress, especially if we also account for time on maintaining the larger and more complex codebase. As for supporting more form fields, that we will have at some point, tracked by #187. |
Multi-step authentication will be tracked by #286, this ticket will track submitting forms by emitting Enter keypress. |
Implemented in 3.0.2, also see #331. Sadly only works in Chromium, not in Firefox. |
General information
Google requires you to authenticate with your email and password in two separate steps, and it's fooling browserpass:
Exact steps to reproduce the problem
The text was updated successfully, but these errors were encountered: