QA/InsecurePasswords

From MozillaWiki
< QA
Jump to: navigation, search

Revision History

This section describes the modifications that have been made to this wiki page. A new row has been completed each time the content of this document is updated (small corrections for typographical errors do not need to be recorded). The description of the modification contains the differences from the prior version, in terms of what sections were updated and to what extent.

Date Version Author Description
01/05/2017 1.0 Adrian Florinescu Initial Draft
02/01/2017 2.0 Adrian Florinescu Updates: Preparing for hand-over to RelQA

Overview

If the user has a saved password on an HTTP page, the Password Manager should not fill it automatically. Instead, the user should have to first type in or select their username. At that point (after user interaction) the Password Manager can fill the password. This change signifies that Firefox moves to a more secure Password manager that uses manual auto-fill versus old automatic auto-fill.

Purpose

Detail the purpose of this document. For example:

  • The test scope, focus areas and objectives
  • The test responsibilities
  • The test strategy for the levels and types of test for this release
  • The entry and exit criteria
  • The basis of the test estimates
  • Any risks, issues, assumptions and test dependencies
  • The test schedule and major milestones
  • The test deliverables

Scope

This wiki details the testing that will be performed for the Insecure Passwords feature. The scope of the Insecure Passwords feature is as follows:

Ownership

• Program Management:

• Project Management:

• Engineering Management:

• Eng.:

• QA

Testing summary

Scope of Testing

In Scope

  • Verify that Sync and Password Manager still function as prior to introduction of Insecure passwords change
  • The Password Manager will not auto-fill on the following cases:
-http sites
-https sites that have mixed active content
-in iframe sites ? (if a https form is loaded into a http site? see https://bugzilla.mozilla.org/show_bug.cgi?id=1217152#c2)
-invisible form fields

Out of Scope

Although at this point the Password Manager overall functionality is only partially affected, there should be decided at a later point if the password manager necessitates to be added into the full scope of this test plan.

Requirements for testing

Environments

  • standard OSs': Ubuntu, Windows, OSX (versions TBD)
  • various http login sites
  • various https login sites
  • sync accounts that have Password sync enabled and saved users/passwords

Channel dependent settings (configs) and environment setups

Nightly

Currently the two preferences that enable Insecure Passwords are set as default on Nightly 53:

  • "security.insecure_field_warning.contextual.enabled" - true
  • "signon.autofillForms.http" - false

Aurora

Currently the two preferences that enable Insecure Passwords are set as default on Aurora 52:

  • "security.insecure_field_warning.contextual.enabled" - true
  • "signon.autofillForms.http" - false

Beta

Beta 51 - N/A

Post Beta / Release

Release 50 - N/A

Test Strategy

Test Objectives

This section details the progression test objectives that will be covered. Please note that this is at a high level. For large projects, a suite of test cases would be created which would reference directly back to this master. This could be documented in bullet form or in a table similar to the one below.

Ref Function Test Objective Test Type Risk Assessment and Coverage(RAC) Owners
TO-1 User Experience expectations To ensure a positive user experience is balanced with the security expectations Manual RAC-1 Eng Team
TO-2 Functional verification Autocomplete/autofill functional verification Manual RAC-3 Eng Team
TO-3 User/pass autocomplete layout verification To ensure the user/pass autocomplete dropdown lists are behaving as expected Manual RAC-1, RAC-2 Eng Team
TO-4 Form history Ensure the form history functions as expected Manual RAC-4 Eng Team
TO-5 Data lists To ensure that data lists are functioning as expected Manual RAC-4 Eng Team
TO-6 Integration with Password manager To ensure that Password manager in/out are not affected by the autocomplete refactoring Manual - Eng Team
TO-7 Preferences To verify the preferences: - on enables the feature; - off dissables the feature Manual - Eng Team
TO-8 Accesibility To verify accesibility pre-requisites: colors, mouse only, keyboard only Manual RAC-5, RAC-6 Eng Team
TO-9 Localization RTL and strings in general (contextual warning) Manual RAC-7 Eng Team
TO-10 Sync integration To ensure that password manager autofill and contextual warning are integrated with sync Manual - Eng Team

Risk Assessment and Coverage

ID Description / Threat Description Covered by Test Objective Magnitude Probability Priority Impact Score
RAC-1 User Experience TO-1, TO-03, TO-05 3-High 3-High 3-High 27
RAC-2 Autocomplete changes/Contextual warning - effect on usability TO-03 3-High 3-High 3-High 27
RAC-3 Autocomplete/ Contextual behavior is constant e10/non10s TO-02 3-High 2-Possible 3-High 18
RAC-4 Form History/Data List might be affected by the autocomplete refactoring (1296638) TO-04, TO-05 3-High 2-Possible 3-High 18
RAC-5 Backround colors and colors in general are visible and readable under high contrast TO-08 3-High 3-High 2-Medium 18
RAC-6 Screen reader on the warning message? TO-08 1- Low 2-Possible 3-High 6
RAC-7 RTL TO-09 1- Low 2-Possible 2-Medium 4

Values:

  • Magnitude: 1- Low , 2-Moderate, 3-High
  • Probability: 1-Unlikely, 2-Possible, 3-Almost Certain
  • Priority: 1 - Low, 2-Medium, 3-High

Impact Score Breakdown:

  • An impact value of 1, 2, 3, 4 would describe an area which although should be covered there aren't expected any discoveries of critical issues.
  • An impact value of 6, 8, 9, 12 would describe an area in which we expect to find issues but those issues are not expected to be critical.
  • An impact value of 18 or 27 would describe an area on which it is likely to find issues and those issues to be critical or blockers.

Builds

This section should contain links for builds with the feature - Insecure Passwords Enabled

Test Execution Schedule

The following table identifies the anticipated testing period available for test execution.

Project phase Start Date End Date
Start project 27.12.2016
Study documentation/specs received from developers 12.27.2016 01.10.2017
QA - Test plan creation 01.05.2016 01.13.2016
QA - Test cases/Env preparation 01.05.2017 01.20.2017
QA - Nightly Testing 12.27.2016 01.21.2017
QA - Aurora Testing 01.05.2017 01.23.2017
QA - Beta Testing N/A N/A
Release Date N/A N/A

Testing Tools

Detail the tools to be used for testing, for example see the following table:

Process Tool
Test plan creation Mozilla wiki
Test case creation TestRail/ Google docs
Test case execution TestRail
Bugs management Bugzilla

Status

Overview

Track the dates and build number where feature was released to Nightly
Track the dates and build number where feature was merged to Aurora
Track the dates and build number where feature was merged to Release/Beta

References

  • List and links for specs
 -

Full Query
ID Priority Component Assigned to Summary Status Target milestone
333521 -- Security Add warning to HTTP Basic auth prompt for non-HTTPS connections NEW ---
667233 -- Password Manager Matthew N. [:MattN] HTTP passwords should be used on the HTTPS version of the same domain RESOLVED mozilla49
748193 -- Security Highlight Password Form Fields on http pages or with http submits RESOLVED ---
1179961 P1 Security :Paolo Amadini Use a lock with a strikethrough for HTTP pages that have Password Fields in the Control Center VERIFIED Firefox 44
1185145 P3 Security Firefox should warn if using HTTP basic auth without TLS RESOLVED ---
1191092 -- Security Sean Lee [:seanlee][:weilonge] InsecurePasswordUtils should handle <input type=password> outside of a <form> RESOLVED mozilla48
1193336 -- Address Bar [UX] Design new icon for insecure connections to use on HTTP sites with password fields RESOLVED ---
1193338 P1 General [UX] Handle case where an insecure password field is present in a subframe of an HTTPS page RESOLVED ---
1193339 P1 General [UX] Provide design for Control Center detail view when insecure password fields are present RESOLVED ---
1193341 P1 Password Manager :Paolo Amadini Detect presence of password fields in any subframe, flagging those on insecure connections RESOLVED mozilla44
1193344 -- General Control Center and Identity Block should show when at least one insecure password field is present RESOLVED ---
1215344 P3 Password Manager checkIfURIisSecure should not use documentURI to determine if a site is secure RESOLVED ---
1216699 P1 Security :Paolo Amadini Add Learn More link to Insecure Password Warning in Control Center VERIFIED Firefox 45
1216802 P3 Security Detect when password elements are visible on a page RESOLVED ---
1217133 P1 Security Panos Astithas (he/him) [:past] (please ni?) Don't warn about insecure passwords on localhost VERIFIED Firefox 45
1217150 P1 General Ash Grigas [UX] create design spec for insecure password feedback over https on login/password form field RESOLVED ---
1217152 P1 Password Manager Tanvi Vyas[:tanvi] Flip prefs to disable login autofill on HTTP and enable the warning on insecure login fields VERIFIED mozilla53
1217156 P1 Security Tanvi Vyas[:tanvi] Add a preference to turn on/off insecure password warnings RESOLVED Firefox 45
1217162 P1 Security Sean Lee [:seanlee][:weilonge] Implement Contextual Feedback on Insecure Passwords RESOLVED Firefox 52
1217165 P1 Security Joni Chan Write Learn More SUMO Article for Insecure Password Warning in Control Center RESOLVED ---
1217766 P1 Security :Paolo Amadini All PDFs trigger the insecure password warning VERIFIED Firefox 46
1221206 P1 Security Tanvi Vyas[:tanvi] Turn on Insecure Password Warning for Firefox Dev Edition VERIFIED Firefox 46
1241292 P1 Security Tanvi Vyas[:tanvi] Revisit "Your login could be compromised" string for Insecure Password Warning RESOLVED Firefox 46
1244022 P1 Security Jonathan Kingston [:jkt] he/him Wrong mouse over message for crossed out lock icon VERIFIED Firefox 48
1257757 P1 Password Manager Matthew N. [:MattN] Include filenames in InsecurePasswordUtils errors VERIFIED mozilla48
1261234 -- Password Manager Sean Lee [:seanlee][:weilonge] Insecure form action password form warning appears for trustworthy action URLs using HTTP RESOLVED mozilla49
1262009 -- Security Brian Grinstead [:bgrins] Firefox attempts to update ssl information for chrome URLs that contain inner frames with secure content RESOLVED Firefox 48
1272507 -- Password Manager Matthew N. [:MattN] HTTP passwords should be used on the HTTPS version of HTTP auth on the same domain RESOLVED mozilla51
1301772 P1 Security Panos Astithas (he/him) [:past] (please ni?) Turn on Insecure Password Warning in Firefox Beta VERIFIED Firefox 51
1304224 P4 Security [meta] Add Contextual Warning to username/password fields on HTTP pages NEW ---
1309044 P3 Security Followup design on Contextual Insecure Password Warning - don't expose logins until second click NEW ---
1333691 -- Security Insecure password fields message annoying in short width fields RESOLVED ---
1334760 -- Security Insecure login warning on page with embedded secure login within an iframe RESOLVED ---
1345924 -- Security Username on insecure forms doesn't suggest previously used values (no saved logins) RESOLVED ---
1349681 -- Security Show the lock with a strike-through in the address bar when insecure credit card fields are present RESOLVED ---
1403390 P3 Form Manager Hide the insecure password warning is not user-friendly enough UNCONFIRMED ---
1486749 -- Security No warning in the address bar for login form with HTTP action on HTTPS page RESOLVED ---

37 Total; 4 Open (10.81%); 24 Resolved (64.86%); 9 Verified (24.32%);


  • bug 1304224 - [meta] Add Contextual Warning to username/password fields on HTTP pages
Full Query
ID Priority Component Assigned to Summary Status Target milestone
376668 P1 Password Manager Dale Harvey (:daleharvey) Improve discoverability of login autocompletion (used with multiple accounts) VERIFIED mozilla53
1120037 P1 Password Manager Dale Harvey (:daleharvey) Username autocompletion isn't attached initially when the username field with autocomplete=off is focused with <body onload="field.focus()"> RESOLVED ---
1217152 P1 Password Manager Tanvi Vyas[:tanvi] Flip prefs to disable login autofill on HTTP and enable the warning on insecure login fields VERIFIED mozilla53
1217162 P1 Security Sean Lee [:seanlee][:weilonge] Implement Contextual Feedback on Insecure Passwords RESOLVED Firefox 52
1289913 P1 Password Manager Sean Lee [:seanlee][:weilonge] Show autocomplete UI on password fields VERIFIED mozilla52
1296638 P3 Form Manager Mike Conley (:mconley) (:⚙️) Switch toolkit Form Autocomplete popup from using a <xul:tree> to using a <xul:richlistbox> VERIFIED mozilla52
1302474 P1 Password Manager Johann Hofmann [:johannh] Add a pref to disable login autofill on insecure forms VERIFIED mozilla52
1311301 P1 Password Manager Dale Harvey (:daleharvey) Improve discoverability of login autocompletion autofocused inputs RESOLVED mozilla53
1314478 P1 Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) Contextual Insecure Password Warning should show up for all username fields, even when there are no saved login VERIFIED mozilla52
1317882 P1 Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) AutoComplete dropdown with Insecure Warning is not extended the correct height at first time opening VERIFIED mozilla53
1318194 P1 Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) Can't autocomplete usernames on insecure pages. VERIFIED mozilla53
1318203 -- Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) Don't show autocomplete UI on Password Field if it is already populated with text VERIFIED mozilla53
1318537 P1 Password Manager Matthew N. [:MattN] Remove Learn More link from the Insecure Password Fields autocomplete popup VERIFIED mozilla52
1319919 P1 Security Matthew N. [:MattN] Refine Insecure Password Warning style VERIFIED Firefox 53
1324918 P1 Password Manager Matthew N. [:MattN] Insecure Login Field Warning is unreadable on Ubuntu, when hovered (due to using wrong background color for hover state of dropdown menu) VERIFIED mozilla53
1325437 P3 Password Manager Don't automatically show autocomplete UI upon focusing a non-empty username field NEW ---
1325695 P1 Password Manager Sean Lee [:seanlee][:weilonge] Wrapping width of the insecure login field warning doesn't reflect the <input> width sometimes VERIFIED mozilla53
1325869 P1 Theme Some popups and menus have a weird transparent background on Ubuntu High Contrast theme RESOLVED ---
1326224 -- Security The insecure login field warning should get skipped during keyboard navigation RESOLVED ---
1329188 -- Password Manager Drop down menu for usernames includes the notif for un secure connections RESOLVED ---
1329333 P3 Form Manager autocomplete becomes visually detached from field NEW mozilla52
1329351 P1 Form Manager Matthew N. [:MattN] Form history shows on password fields if password manager is disabled RESOLVED mozilla53
1329356 -- Password Manager autocomplete dropdown list has vertical scroll bar. (the dropdown list is not expanded to a sufficient height) VERIFIED ---
1329631 P1 Password Manager Matthew N. [:MattN] Autofill not dismissed after second username selection VERIFIED mozilla53
1329640 P3 Password Manager Console errors and warnings related to Password Manger NEW ---
1329940 P1 Security Kate McKinley [:kmckinley, :Kate] 'not secure' message shown on "secure" HTTPS popup login page VERIFIED Firefox 54
1330111 P1 Password Manager Matthew N. [:MattN] Username autocomplete pops up on secure forms with only one saved login (and are therefore autofilled) VERIFIED mozilla54
1330152 -- Knowledge Base Content Kamil Jozwiak [:kjozwiak] Insecure_passwords SUMO page needs to be updated to support new UI RESOLVED ---
1330597 P3 Security Mike Conley (:mconley) (:⚙️) Firefox contextual insecure forms lacks RTL ASSIGNED ---
1330840 P2 Password Manager Johann Hofmann [:johannh] Add Padding to in-content Insecure Password Warning VERIFIED mozilla54
1331224 -- Password Manager Spurious insecure password warning on Bugzilla RESOLVED ---
1333256 P2 Password Manager Matthew N. [:MattN] Bring back the insecure field warning Learn More text RESOLVED ---
1334026 P1 Form Manager Matthew N. [:MattN] Insecure password field warning doesn't appear on password fields if password manager is disabled VERIFIED mozilla54
1336391 P1 Form Manager Matthew N. [:MattN] Crash in nsFormFillController::StartSearch RESOLVED ---
1336753 -- Security Contextual Feedback on Insecure Passwords blocks fields when notificationbox appears RESOLVED ---
1337246 P2 Security Johann Hofmann [:johannh] Insecure password warning appears on local IP address hosts (such as routers) VERIFIED Firefox 55
1337259 P1 Password Manager Johann Hofmann [:johannh] Don't show password autocomplete upon a right click into the password field VERIFIED mozilla54
1338010 -- Password Manager Insecure field warning appears on Facebook.com RESOLVED ---
1338160 -- General Contextual warning to username/password field on HTTP pages not triggered RESOLVED ---
1338598 P5 Password Manager Top align the lock icon in the insecure password field RESOLVED ---
1340789 P3 Password Manager Contextual Warning pops up when leaving the page via bookmark sidebar NEW ---
1342476 P5 Security The insecure password support page can't be accessed using only the keyboard NEW ---
1342864 -- Security "input autocomplete=postal-code" shows insecure password warning below input field RESOLVED ---
1344390 -- Password Manager Suggestions from password manager stay on screen and then disappear forever when closing tab with browser.tabs.animate=false RESOLVED ---
1345400 -- Security Partial bypass of the "Insecure password" warning in Firefox 52 RESOLVED ---
1345425 -- Security Link at Insecure-Passwort-Hint forwards to unuseful site RESOLVED ---
1345629 P5 Security No whitelist for Notification "Logins entered here could be compromised" UNCONFIRMED ---
1346270 -- General html 5 required input tooltip is hidden by the connection is not secure tooltip NEW ---
1347375 -- Security Sometimes items in context menu aren't visible in insecure fields (covered by "Logins entered here could be compromised" notification) RESOLVED ---
1349739 P5 Security The "insecure login" closes after consuming a context menu click on another window NEW ---
1424609 -- Security Security warning box and autocomplete suggestions box overlap and hide the text input RESOLVED ---
1424894 -- Security "This connection is not secure, Logins here can be compromised" can appear on top of input boxes, making it impossible to see what you're typing (e.g. vBulletin 4) RESOLVED ---
1463506 P3 Password Manager Insecure login form warning appears on intranet sites UNCONFIRMED ---
1510920 P3 Security upgrade-insecure-requests CSP gives Insecure password warning on password input field UNCONFIRMED ---
1534896 P2 Password Manager Matthew N. [:MattN] Don't close the login autocomplete popup when the search string becomes empty VERIFIED mozilla67

55 Total; 11 Open (20%); 22 Resolved (40%); 22 Verified (40%);


  • bug 1217152 - Flip prefs to disable login autofill on HTTP and enable the warning on insecure login fields
Full Query
ID Priority Component Assigned to Summary Status Target milestone
376668 P1 Password Manager Dale Harvey (:daleharvey) Improve discoverability of login autocompletion (used with multiple accounts) VERIFIED mozilla53
1120037 P1 Password Manager Dale Harvey (:daleharvey) Username autocompletion isn't attached initially when the username field with autocomplete=off is focused with <body onload="field.focus()"> RESOLVED ---
1289913 P1 Password Manager Sean Lee [:seanlee][:weilonge] Show autocomplete UI on password fields VERIFIED mozilla52
1302474 P1 Password Manager Johann Hofmann [:johannh] Add a pref to disable login autofill on insecure forms VERIFIED mozilla52
1329356 -- Password Manager autocomplete dropdown list has vertical scroll bar. (the dropdown list is not expanded to a sufficient height) VERIFIED ---
1330561 P1 Password Manager Jared Wein [:jaws] (please needinfo? me) Autofill/Autocomplete/Insecure warning cannot be opened in username field right away in a new tab VERIFIED mozilla67
1330953 P3 Password Manager Dropdown closes when I click the border of the username or password field NEW ---
1331617 P3 Password Manager The drop down doesn't match the size of the input field on Facebook NEW ---
1331655 P3 Autocomplete When I move the browser window the drop down doesn't work correctly NEW ---
1331926 -- Password Manager Dropdown appears in the username field even if you have saved only 1 user RESOLVED ---
1331934 P3 Password Manager Position of autofill dropdown covers the focused field (Ubuntu only) NEW ---
1331959 -- Password Manager On imdb.com the username field is populated with usernames saved on facebook.com RESOLVED ---
1332306 P2 Password Manager Login autocomplete dropdown doesn't open if you close a tab RESOLVED ---
1332342 -- Password Manager The key icon is missing on IMDb website after one entry is saved RESOLVED ---
1332618 -- General Email input box cannot be deleted when Screen reader is used NEW ---
1512755 P2 DOM: UI Events & Focus Handling Should not auto-scroll to auto-focused input (or password input) when switching tab NEW ---

16 Total; 6 Open (37.5%); 5 Resolved (31.25%); 5 Verified (31.25%);


Testcases

Overview

Summary of testing scenarios

Test Areas

Test Areas Covered Details (and why) Reviewed by
Private Window No Altought the private window is affected by the changes, it doesn't enter the scope  :tanvi, :MattN
Multi-Process Enabled Yes Default setting  :tanvi, :MattN
Multi-process Disabled Yes The same functionality as when 10s enabled should be verfied  :tanvi, :MattN
Theme (high contrast) Yes Ensure that the warning is visible and accessibility colors are used  :tanvi, :MattN
UI
Mouse-only operation Yes User facing functionality  :tanvi, :MattN
Keyboard-only operation Yes User facing functionality  :tanvi, :MattN
Display (HiDPI) Yes HiDPI enters the scope of the testing  :tanvi, :MattN
Interraction (scroll, zoom) Yes  :tanvi, :MattN
Usable with a screen reader Yes Technically, the autofill rich text should be accessible, so yes  :tanvi, :MattN
Usability and/or discoverability testing Yes  :tanvi, :MattN
RTL build testing Yes  :tanvi, :MattN
Help/Support
Help/support interface required TBD
Support documents planned(written) Yes Support page needs updating  :tanvi, :MattN
Install/Upgrade
Feature upgrades/downgrades data as expected No feature doesn't upgrade/downgrade  :tanvi, :MattN
Does sync work across upgrades No not in the scope  :tanvi, :MattN
Requires install testing No not in the scope  :tanvi, :MattN
Affects first-run or onboarding No not in the scope  :tanvi, :MattN
Does this affect partner builds? Partner build testing Yes This pref and feature are going to be defaulted, therefore they will affect partner builds as default  :tanvi, :MattN
Enterprise Raise up the topic to developers to see if they are expecting to work different on ESR builds
Enterprise administration N/A  :tanvi, :MattN
Network proxies/autoconfig N/A  :tanvi, :MattN
ESR behavior changes N/A  :tanvi, :MattN
Locked preferences N/A  :tanvi, :MattN
Data Monitoring
Temporary or permanent telemetry monitoring Yes Should be monitored  :tanvi, :MattN
Telemetry correctness testing Yes to contact :MattN for details  :tanvi, :MattN
Server integration testing No Not in scope.  :tanvi, :MattN
Offline and server failure testing No Not in scope.  :tanvi, :MattN
Load testing No Not in scope.  :tanvi, :MattN
Add-ons If add-ons are available for testing feature, or is current feature will affect some add-ons, then API testing should be done for the add-on.
Addon API required? No Not in scope  :tanvi, :MattN
Comprehensive API testing No Not in scope  :tanvi, :MattN
Permissions No Not in scope  :tanvi, :MattN
Testing with existing/popular addons Yes to test with the most popular password managers  :tanvi, :MattN
Security Security is in charge of Matt Wobensmith. We should contact his team to see if security testing is necessary for current feature.
3rd-party security review No  :tanvi, :MattN
Privilege escalation testing No  :tanvi, :MattN
Fuzzing No  :tanvi, :MattN
Web Compatibility depends on the feature
Testing against target sites Yes  :tanvi, :MattN
Survey of many sites for compatibility Yes  :tanvi, :MattN
Interoperability depends on the feature
Common protocol/data format with other software: specification available. Interop testing with other common clients or servers. No  :tanvi, :MattN
Coordinated testing/interop across the Firefoxes: Desktop, Android, iOS No not implemented at this moment across the platforms  :tanvi, :MattN
Interaction of this feature with other browser features Yes autocomplete refactoring might afect other areas such form history or data lists  :tanvi, :MattN

Test suite

Full Test suite -  TestSuite

Bug Work

Tracking bugs:


Bug Work
Full Query
ID Priority Component Assigned to Summary Status Target milestone
376668 P1 Password Manager Dale Harvey (:daleharvey) Improve discoverability of login autocompletion (used with multiple accounts) VERIFIED mozilla53
1217152 P1 Password Manager Tanvi Vyas[:tanvi] Flip prefs to disable login autofill on HTTP and enable the warning on insecure login fields VERIFIED mozilla53
1217162 P1 Security Sean Lee [:seanlee][:weilonge] Implement Contextual Feedback on Insecure Passwords RESOLVED Firefox 52
1289913 P1 Password Manager Sean Lee [:seanlee][:weilonge] Show autocomplete UI on password fields VERIFIED mozilla52
1296638 P3 Form Manager Mike Conley (:mconley) (:⚙️) Switch toolkit Form Autocomplete popup from using a <xul:tree> to using a <xul:richlistbox> VERIFIED mozilla52
1302474 P1 Password Manager Johann Hofmann [:johannh] Add a pref to disable login autofill on insecure forms VERIFIED mozilla52
1311301 P1 Password Manager Dale Harvey (:daleharvey) Improve discoverability of login autocompletion autofocused inputs RESOLVED mozilla53
1314478 P1 Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) Contextual Insecure Password Warning should show up for all username fields, even when there are no saved login VERIFIED mozilla52
1317882 P1 Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) AutoComplete dropdown with Insecure Warning is not extended the correct height at first time opening VERIFIED mozilla53
1318194 P1 Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) Can't autocomplete usernames on insecure pages. VERIFIED mozilla53
1318203 -- Password Manager Tim Guan-tin Chien [:timdream] (please needinfo) Don't show autocomplete UI on Password Field if it is already populated with text VERIFIED mozilla53
1318537 P1 Password Manager Matthew N. [:MattN] Remove Learn More link from the Insecure Password Fields autocomplete popup VERIFIED mozilla52
1319919 P1 Security Matthew N. [:MattN] Refine Insecure Password Warning style VERIFIED Firefox 53
1324918 P1 Password Manager Matthew N. [:MattN] Insecure Login Field Warning is unreadable on Ubuntu, when hovered (due to using wrong background color for hover state of dropdown menu) VERIFIED mozilla53
1325695 P1 Password Manager Sean Lee [:seanlee][:weilonge] Wrapping width of the insecure login field warning doesn't reflect the <input> width sometimes VERIFIED mozilla53
1329351 P1 Form Manager Matthew N. [:MattN] Form history shows on password fields if password manager is disabled RESOLVED mozilla53
1329631 P1 Password Manager Matthew N. [:MattN] Autofill not dismissed after second username selection VERIFIED mozilla53
1329940 P1 Security Kate McKinley [:kmckinley, :Kate] 'not secure' message shown on "secure" HTTPS popup login page VERIFIED Firefox 54
1330111 P1 Password Manager Matthew N. [:MattN] Username autocomplete pops up on secure forms with only one saved login (and are therefore autofilled) VERIFIED mozilla54
1330152 -- Knowledge Base Content Kamil Jozwiak [:kjozwiak] Insecure_passwords SUMO page needs to be updated to support new UI RESOLVED ---
1330840 P2 Password Manager Johann Hofmann [:johannh] Add Padding to in-content Insecure Password Warning VERIFIED mozilla54
1333256 P2 Password Manager Matthew N. [:MattN] Bring back the insecure field warning Learn More text RESOLVED ---
1334026 P1 Form Manager Matthew N. [:MattN] Insecure password field warning doesn't appear on password fields if password manager is disabled VERIFIED mozilla54
1336391 P1 Form Manager Matthew N. [:MattN] Crash in nsFormFillController::StartSearch RESOLVED ---
1337246 P2 Security Johann Hofmann [:johannh] Insecure password warning appears on local IP address hosts (such as routers) VERIFIED Firefox 55
1337259 P1 Password Manager Johann Hofmann [:johannh] Don't show password autocomplete upon a right click into the password field VERIFIED mozilla54
1534896 P2 Password Manager Matthew N. [:MattN] Don't close the login autocomplete popup when the search string becomes empty VERIFIED mozilla67

27 Total; 0 Open (0%); 6 Resolved (22.22%); 21 Verified (77.78%);

Full Query
ID Priority Component Assigned to Summary Status Target milestone
667233 -- Password Manager Matthew N. [:MattN] HTTP passwords should be used on the HTTPS version of the same domain RESOLVED mozilla49
748193 -- Security Highlight Password Form Fields on http pages or with http submits RESOLVED ---
1179961 P1 Security :Paolo Amadini Use a lock with a strikethrough for HTTP pages that have Password Fields in the Control Center VERIFIED Firefox 44
1191092 -- Security Sean Lee [:seanlee][:weilonge] InsecurePasswordUtils should handle <input type=password> outside of a <form> RESOLVED mozilla48
1193338 P1 General [UX] Handle case where an insecure password field is present in a subframe of an HTTPS page RESOLVED ---
1193339 P1 General [UX] Provide design for Control Center detail view when insecure password fields are present RESOLVED ---
1193341 P1 Password Manager :Paolo Amadini Detect presence of password fields in any subframe, flagging those on insecure connections RESOLVED mozilla44
1216699 P1 Security :Paolo Amadini Add Learn More link to Insecure Password Warning in Control Center VERIFIED Firefox 45
1217133 P1 Security Panos Astithas (he/him) [:past] (please ni?) Don't warn about insecure passwords on localhost VERIFIED Firefox 45
1217150 P1 General Ash Grigas [UX] create design spec for insecure password feedback over https on login/password form field RESOLVED ---
1217152 P1 Password Manager Tanvi Vyas[:tanvi] Flip prefs to disable login autofill on HTTP and enable the warning on insecure login fields VERIFIED mozilla53
1217156 P1 Security Tanvi Vyas[:tanvi] Add a preference to turn on/off insecure password warnings RESOLVED Firefox 45
1217162 P1 Security Sean Lee [:seanlee][:weilonge] Implement Contextual Feedback on Insecure Passwords RESOLVED Firefox 52
1217165 P1 Security Joni Chan Write Learn More SUMO Article for Insecure Password Warning in Control Center RESOLVED ---
1217766 P1 Security :Paolo Amadini All PDFs trigger the insecure password warning VERIFIED Firefox 46
1221206 P1 Security Tanvi Vyas[:tanvi] Turn on Insecure Password Warning for Firefox Dev Edition VERIFIED Firefox 46
1241292 P1 Security Tanvi Vyas[:tanvi] Revisit "Your login could be compromised" string for Insecure Password Warning RESOLVED Firefox 46
1244022 P1 Security Jonathan Kingston [:jkt] he/him Wrong mouse over message for crossed out lock icon VERIFIED Firefox 48
1257757 P1 Password Manager Matthew N. [:MattN] Include filenames in InsecurePasswordUtils errors VERIFIED mozilla48
1261234 -- Password Manager Sean Lee [:seanlee][:weilonge] Insecure form action password form warning appears for trustworthy action URLs using HTTP RESOLVED mozilla49
1262009 -- Security Brian Grinstead [:bgrins] Firefox attempts to update ssl information for chrome URLs that contain inner frames with secure content RESOLVED Firefox 48
1272507 -- Password Manager Matthew N. [:MattN] HTTP passwords should be used on the HTTPS version of HTTP auth on the same domain RESOLVED mozilla51
1301772 P1 Security Panos Astithas (he/him) [:past] (please ni?) Turn on Insecure Password Warning in Firefox Beta VERIFIED Firefox 51
1349681 -- Security Show the lock with a strike-through in the address bar when insecure credit card fields are present RESOLVED ---

24 Total; 0 Open (0%); 15 Resolved (62.5%); 9 Verified (37.5%);

Full Query
ID Priority Component Assigned to Summary Status Target milestone
376668 P1 Password Manager Dale Harvey (:daleharvey) Improve discoverability of login autocompletion (used with multiple accounts) VERIFIED mozilla53
1289913 P1 Password Manager Sean Lee [:seanlee][:weilonge] Show autocomplete UI on password fields VERIFIED mozilla52
1302474 P1 Password Manager Johann Hofmann [:johannh] Add a pref to disable login autofill on insecure forms VERIFIED mozilla52
1330561 P1 Password Manager Jared Wein [:jaws] (please needinfo? me) Autofill/Autocomplete/Insecure warning cannot be opened in username field right away in a new tab VERIFIED mozilla67

4 Total; 0 Open (0%); 0 Resolved (0%); 4 Verified (100%);

Sign off

Criteria

Check list

  • All test cases should be executed
  • Has sufficient automated test coverage (as measured by code coverage tools) - coordinate with RelMan
  • All blockers, criticals must be fixed and verified or have an agreed-upon timeline for being fixed (as determined by engineering/RelMan/QA)

Results

Nightly testing

List of OSes that will be covered by testing

Beta Testing

Checklist

Exit Criteria Status Notes/Details
Testing Prerequisites (specs, use cases) No AFAIK, the available documentation is not summarized in a doc. (spread into several bugs/metabugs)
Testing Infrastructure setup Yes
Test Plan Creation Yes
Test Cases Creation Yes
Full Functional Tests Execution Yes
Automation Coverage TBD
Performance Testing
All Defects Logged Yes
Critical/Blockers Fixed and Verified Yes
Metrics/Telemetry
QA Signoff - Nightly Release No Feature uplifted to Aurora
QA Aurora - Full Testing Yes
QA Signoff - Aurora Release Yes Email sent
QA Beta - Full Testing N/A
QA Signoff - Pre-Release Sign off [DONE] Email sent 02-27-2017 (GREEN)