password not saved for mail.yahoo.co.jp - request to recompile with WALLET_DONT_CACHE_ALL_PASSWORDS undefined

over to password manager.

That's because yahoo has opted out of using the password manager.

Verified

*** Bug 111603 has been marked as a duplicate of this bug. ***

Modifying summary: "mamanger" -> "manager"

Is there anything that we can do to convince Yahoo! to use the password manager?

*** Bug 111634 has been marked as a duplicate of this bug. ***

*** Bug 82956 has been marked as a duplicate of this bug. ***

*** Bug 90013 has been marked as a duplicate of this bug. ***

*** Bug 110008 has been marked as a duplicate of this bug. ***

Forest Taylor: Is there anything that we can do to convince Yahoo! to use the
password manager?

Yes. Open a separate bug and assign it to evangelism. The opt-out feature was
added to satisfy the strong demands of the financial community. But there is
absolutely no reason that yahoo mail should consider itself in that category and
chose to opt out. See all the dups of this bug and you'll realize how many
people are agreeing with me.

*** Bug 114468 has been marked as a duplicate of this bug. ***

*** Bug 115809 has been marked as a duplicate of this bug. ***

Created attachment 62087
Hack to re-enable the autocomplete ^_~

Hm, this will fix your problems :)

"The opt-out feature was added to satisfy the strong demands of the financial
community."

Why do we have this button 'Never for this site', if you can't use it? Are we,
mozilla and netscape users, really that stupid? The financial community can go
to hell with their demands. Power to the people :)

The correct way to do this is to look in extensions/wallet/src/wallet.cpp and
search for the sections of code that are bracked by #ifdef
WALLET_DONT_CACHE_ALL_PASSWORDS. Rewrite that to be conditional code based on a
pref setting.

Only problem is whether or not the financial institutions pull the plug on the
mozilla/netscape6 browser if we do that.

*** Bug 101048 has been marked as a duplicate of this bug. ***

*** Bug 118688 has been marked as a duplicate of this bug. ***

Reopening and moving to evangelism. We should at least let Yahoo know how many
Mozilla users reported this bug to us.

-> tech evangelism

*** Bug 120512 has been marked as a duplicate of this bug. ***

Most but not all the dups of this bug have to do with yahoo mail (see 101048 and
120512 for example and there are a few others). Therefore changing summary from

   yahoo mail login form tells password manager not to offer to remember pwds

to

   Several sites, notably yahoo mail, opt out of using password manager

It's true that most of the other sites are financial institutions and they have
good reason (at least in their opinion) of opting out. So there's nothing much
evangelism can do there. But sites like yahoo mail have no justification for
opting out and these are the sites that evangelism should focus on.

this is not in the scope of the evangelism effort. They are using the available
features of the browser. If you as a customer do not like that, please complain
or use another service.

doron, i say mark it invalid.

Anyone want to do this? We have more important bugs out there, but if someone
wants to take this and contact yahoo, that person can take the bug. Otherwise,
invalid

*** Bug 124829 has been marked as a duplicate of this bug. ***

IMO users should have to have a way to force the use of the password manager,
despite everything the site says.

I agree that the user should have the choice, even if it's not a default and
activated by a hidden pref. A browser is a *client* application, and banks
shouldn't be able to blackmail Mozilla into inconveniencing users who wish to
make a choice - after all, users could walk around with their password details
printed on their T-shirts if they really wanted to, so why aren't we allowed to
instruct our browsers to memorise things for us?

If it's difficult to activate (e.g. hidden pref / lots of warning dialog boxes),
then it can only be done by someone conscious of the risks, hence there can be
no *reasonable* case for anyone to block the browser.

There are two separate issues here so let's not confuse them.

One is whether the user should have access to a hidden pref to override a
financial website which has a bonafide reason for wanting to opt out of password
manager. That is the topic of bug 124065. See also bug 63961 which created the
ability for a site to opt out in the first place.

The other issue is specifically about yahoo.mail, and whether it should be using
this opt-out mechanism that was designed for financial institutions. That is
the issue in this bug report. IMO, the answer is that they should not be and
that an evangelist will need to get them to see the error of their ways.

Please keep discussion in this bug focused on the second issue only, since there
are other bug reports specifically for the first.

as I am not very mistaken, you can use the financial section of Yahoo with the
same userID and password of the mail section.
Even more if you sign into mail, you need not sign in for financial again -> the
same cookie is used.

Whether the yahoo financial section justifies to use a "bank opt-out" is IMHO
another point.

Christian: If by "the financial section of Yahoo" you mean PayDirect, it
requires an extra password in addition to your Yahoo ID and password. It makes
sense for PayDirect to require this extra password, because users aren't as
careful with webmail passwords as they are with financial passwords. PayDirect
only asks you to enter the extra password once you have logged into Yahoo *and*
established an https connection to Paydirect. The form that asks you for the
extra password correctly uses autocomplete=off.

*** Bug 134789 has been marked as a duplicate of this bug. ***

Jesse: I believe Christian meant finance.yahoo.com and the umbrella of other
domains under it (banking.yahoo.com, loans.yahoo.com, insurance.yahoo.com,
taxes.yahoo.com, etc.) which includes function for tracking nearly every piece
of personal financial information you could dream up, including 401K, credit
cards, stocks and bonds, taxes and more. All of this is "protected" behind a
common login page hosted off of login.yahoo.com, which also happenes to be the
common login of mail.yahoo.com. This of course brings up the irony of the fact
that on a page where they prohibit us from saving userid/password in PSM, they
offer a checkbox to have them leave a cookie and remember your login.

*** Bug 137471 has been marked as a duplicate of this bug. ***

*** Bug 139920 has been marked as a duplicate of this bug. ***

I had contacted yahoo regarding using the autocomplete=off in their login form
long before mozilla supported the autocomplete attribute. They never replied back.

Also, I tried the hack that is mentioned, but the password manager doesn't kick
in the first time when I visit http://mail.yahoo.com, it only appears when I
signin and then signout and then try to sign in. Think it has something to do
with the way the current URL and the form submission URL. The first time I visit
Yahoo mail, the location bar is http://mail.yahoo.com, while if I login and
logout and go to the sign in page, the location bar is at
http://login.yahoo.com. The form submits to https://login.yahoo.com.

Tushar: could you try again? and tell them how many people ask for that?

It seem that Neil forgot to inform you about one little trick, javascript should
be disabled the first time only!

1 - disable javascript for navigator (Menu/Edit/Preferences/Advanched/Script &
Windo...
2 - now, visit http://mail.yahoo.com
3 - type your name and password here (password dialog will be displayed)
4 - re-enable javascript for navigator

Now, your worries are over. I should know, because I'm the person who developed
this little hack for MultiZilla, and it still works ;)

you know, i'm sure that doubleclick would be unhappy to know that i blocked all
images from their site. i'm also sure that a lot of people would be unhappy to
know that my cookies are killed whenever i close the browser.

these options are still available in mozilla.
i see no reason why i shouldnt be able to force mozilla to remember the password
for a specific page. if yahoo wants to make their default to not-remember,
fine. but it is my computer, i want to be able to override it.

*** Bug 143074 has been marked as a duplicate of this bug. ***

My Yahoo login password is saved in my password manager. Is this a legacy from
before Yahoo opted out?

*** Bug 268978 has been marked as a duplicate of this bug. ***

*** Bug 280790 has been marked as a duplicate of this bug. ***

like db in comment 91, i've tried setting wallet.crypto.autocompleteoverride to
true and i've tried jesse's "remember password" bookmarklet from
http://www.squarefree.com/bookmarklets/forms.html#remember_password . i tried
the disable javascript hack. still no dice with mail.yahoo.com... why is yahoo
able to dictate this behavior?

i've been testing all this on firefox 1.0.1 on XP.

I've switched to a Mac since my last post. In addition to having this bug, Yahoo has become so slow and
tedious to use that it's not worth it. I'm giving up on Yahoo altogether.

There's another issue here. Some sites' passwords won't save even though there's
no autocomplete="off" in the code.

This is because they use JavaScript to generate a SHA-1 hash of the password
(with salt added) client-side and store that in a seperate form field prior to
submission. They also blank the real password field to prevent the cleartext
password being sent.

Because the password field is blanked and Password Manager must not check until
after onsubmit="" is called, Password Manager doesn't offer to remember the
password.

You can observe this at http://album.co.nz/ and also at banking site
http://www.kiwibank.co.nz/

The Kiwibank problem was reported in Bug #208857

(In reply to comment #98)

> You can observe this at http://album.co.nz/ and also at banking site
> http://www.kiwibank.co.nz/

*** Bug 292828 has been marked as a duplicate of this bug. ***

another option i tried is the "Allow Password Remembering" grease monkey user
script available from the 4/10/05 post at
http://blog.monstuff.com/archives/cat_greasemonkey.html . in theory, it should
behave the same way as setting wallet.crypto.autocompleteoverride to true. as
expected, this still doesn't work with mail.yahoo.com :(

does anyone have a solution for mail.yahoo.com?

Adding self to CC list.

(In reply to comment #16)
> The correct way to do this is to look in extensions/wallet/src/wallet.cpp and
> search for the sections of code that are bracked by #ifdef
> WALLET_DONT_CACHE_ALL_PASSWORDS. Rewrite that to be conditional code based on a
> pref setting.

Is this an instructions for end-users who can tweak something within their
profile or install directory or instruction for coders? Please explain.

(In reply to comment #102)
> Is this an instructions for end-users who can tweak something within their
> profile or install directory or instruction for coders? Please explain.

That's an implementation suggestion for developers, not something the average
end user would be doing. It would require changing the source code to mozilla
and rebuilding the browser.

The same behaviour as described in comment #98 I find at
http://www.friendscout24.de/

With javascript, they somehow manage to blank out the password. But how do they
differentiate between the password a user typed in and one password manager
types in?

What about suggesting to Yahoo! that they create another login page which does
not use AUTOCOMPLETE="off"?

If they didn't advertise that alternate login page, but instead just made it
quietly available to only those of us clamoring for it and persistent enough to
locate it -- wouldn't that solve the problem for everyone?

Yahoo! currently has "standard" and "secure" login pages. I'm just talking
about exact duplicates of those pages without the AUTOCOMPLETE tag. This is as
close as it gets to being zero effort for Yahoo! to address.

I'd suggest this to Yahoo! myself, but it's clear from reading all the comments
here that others have better connections that I do. OTOH, if this is a good
idea, let's all suggest this to them en masse.

*** Bug 329298 has been marked as a duplicate of this bug. ***

*** Bug 345615 has been marked as a duplicate of this bug. ***

Here is a way to add blocked sites without adding any extensions or scripts to Firefox:
http://dotancohen.com/howto/firefox_password_manager.php

Tested on Yahoo, Wachovia, Fabulous. (disclaimer: it is my site, I wrote it)

*** Bug 349521 has been marked as a duplicate of this bug. ***

*** Bug 385185 has been marked as a duplicate of this bug. ***

*** Bug 436062 has been marked as a duplicate of this bug. ***

*** Bug 484133 has been marked as a duplicate of this bug. ***

*** Bug 486875 has been marked as a duplicate of this bug. ***

*** Bug 496332 has been marked as a duplicate of this bug. ***

*** Bug 498437 has been marked as a duplicate of this bug. ***

*** Bug 509531 has been marked as a duplicate of this bug. ***

Maybe I'm dense but I don't see what autocomplete has to do with not recognizing cookies. If I go to www.netflix.com the first thing it tells me is my cookies are not enabled. I know this is wrong because my cookies have always been enabled and the problem started around Firefox 3.0.x when I had changed nothing. I suppose this duplicates some bug but I haven't a clue what it might be.

It doesn't. longsonr got confused by the summary of bug 509531. I reopened it for you and gave it a slightly better summary.

*** Bug 833504 has been marked as a duplicate of this bug. ***

*** Bug 833504 has been marked as a duplicate of this bug. ***