Self-modifying login form password field interferes with the Firefox remember password feature

Question

Self-modifying login form password field interferes with the Firefox remember password feature

ravenexp opened this issue 3 years ago · 0 comments

In the current implementation the password field value is replaced just before submitting the form,
causing Firefox to remember the password hash string instead of the user input.
This leads to a login failure when the user attempts use the remembered password next time.

The problematic script part:

const button = form.querySelector('input[type="submit"]');
            form.addEventListener("submit", function (event) {
                event.preventDefault();
                button.disabled = true;
                button.value = "Loading...";
                password.value = removeByteOrderMark(Rust.pbkdf2_encode(password.value, email.value, 5000));
                this.submit();
            });

Perhaps a hidden form field can be used to pass the hash to the server.
The password field itself can be made unnamed or disabled to prevent the browser from sending raw passwords to the server.