Chrome password auto-fill breaking IPv6

bimmerdriver

This is really strange. I noticed recently that chrome is auto-filling the pfsense webgui username into Interfaces / WAN / DHCP Client Configuration / Reject leases from, resulting this error:

The following input errors were detected:
An invalid IP address was detected in the 'Reject leases from' field.

This prevents the IPv6 gateway from starting. In years of running pfsense, I've never seen this behaviour. The only way I could prevent this from happening was to remove the webgui username and password from the list of credentials being stored by chrome. Is there any other work-around?

Derelict

Probably stopping your browser from erroneously-filling form fields is the best way forward.

bimmerdriver

@Derelict Sure, I'll give the chrome developers a call and tell them to get on it right away.

Derelict

You can turn it off without that. Not sure it's pfSense's job to play whack-a-mole with the all of the browsers' auto-fill plus all of the password extension auto-fill and every possible combination of the same.

It is Chrome erroneously-filling the field. How is it that you perceive that to be pfSense's problem to fix?

The fact that chrome is filling fields you don't want filled in a web page you don't want them filled into - especially a username and password - and it is not obvious to you that this is happening - means disabling that "feature" in the browser might be prudent.

bimmerdriver

@Derelict I asked if there was a work-around other than disabling auto-filling of the pfsense webgui username and password. Not sure where you took the leap that I was saying it was a pfsense problem. Since this didn't happen before, either something changed in chrome or in the webgui. I posted here to see if anyone else was encountering this.

Gertjan

@bimmerdriver : I don't want to 'leap' neither, but I'm pretty sure that most of us that reply questions here, do not use Chrome. This makes the problem less known ^^

A solution would be : dig onto the settings of Chrome, and find the list with all the URL that have a user/password, then just 'reset' what has been stored.
Automatic user/password fill in works pretty the same for all browser : if the URL matches and a html keywords like user and password or pass-word or pass are all present on the same page, then the browser presume that the filled in text might be a user/password pair, and proposes you to save it (adding to the list).
btw : Auto-filling is a pure browser thing.

Also : remember : Chrome has a default plugin that isn't shown - and can't be deactivated , and has access to all the pages you visit, info you type, etc : Google. I have to say right away that I somewhat trust Google ... but the day they 'brake' we'll be in for some big headlines.

johnpoz

As per Derelicts spot on advice, I use lastpass, and it trying to do what it does can cause slow downs in the web gui on some pages.

So what I do is tell lastpass to ignore or not do anything on those pages of the gui. But allow it to autofill in the login page..

For some reason the lastpass script will hang the browser up for some time on the interface page of the gui, so I had to tell lastpass to not do anything ever on that page.

example

How that is done in chrome have no idea, I don't use it very often. But I don't see how chrome filling in stuff it shouldn't be has anything to do with pfsense.. How do you suggest pfsense stop chrome from doing that exactly?

JeGr

@johnpoz said in Chrome password auto-fill breaking IPv6:

How do you suggest pfsense stop chrome from doing that exactly?

You can't (restrict it to a single page only). You can either turn on auto-form-filling or off. It does an "educated guess" with type, id and name (I suppose) of the HTML forms and if one or two are something like "id/user/pass/whatever" it gets pasted in. Sometimes helpful (complete address block or sth alike) but encountered many pages in pfSense pages, that it trigger-happy jumps to conclusions.

But I can't see why "dhcprejectfrom" would trigger its list for username. Perhaps an address entry but that's far away from any username matching.

What you can is modifiy the "don't save for..." list so it won't show up with password suggestions. But that is domain-wide. Other than that you only have payment or autofill settings left, but as OP states, that it autofills username/pass, those other two aren't the culprits.

johnpoz

My point exactly - what does the OP think pfsense could do to keep chrome from jumping to conclusions about form boxes? Its not like the forms fields are all labeled username and password ;)

The OP had the right idea, but pretty sure it was meant as sarcastic response ;) hehehe

I'll give the chrome developers a call and tell them to get on it right away.

JeGr

Actually I just checked: seems a Chrome "bug" to me. Besides the "autofilling" being annoying, filling that field makes no sense. If you go to System>Advanced>Misc it fills out the Proxy User/Pass but that actually makes some sense. Don't like the autofill without questioning thing.

But got one step further and tested with other Chromium forks. E.g. Opera: asks for PW safe, and offers to insert in the System>Adv.>Misc but doesn't autofill. The DHCP Reject form field is ignored completely (won't even offer to save or autofill) so it's definetly something special to Chrome or specific chromium branches.

bimmerdriver

@johnpoz said in Chrome password auto-fill breaking IPv6:

My point exactly - what does the OP think pfsense could do to keep chrome from jumping to conclusions about form boxes? Its not like the forms fields are all labeled username and password ;)

The OP had the right idea, but pretty sure it was meant as sarcastic response ;) hehehe

I'll give the chrome developers a call and tell them to get on it right away.

Again, where did I say it was a pfsense problem?

johnpoz

Your in the pfsense webgui section...

Where you should be is your browser of choice forums asking them for how to stop it from filling in shit it shouldn't be filling in... There is NOTHING pfsense can do to stop your browser from doing that!

You have already been given your "work arounds"

Use a different browser, disable its auto fill feature.

bimmerdriver

@johnpoz said in Chrome password auto-fill breaking IPv6:

Your in the pfsense webgui section...

Where you should be is your browser of choice forums asking them for how to stop it from filling in shit it shouldn't be filling in... There is NOTHING pfsense can do to stop your browser from doing that!

You have already been given your "work arounds"

Use a different browser, disable its auto fill feature.

Again, not clear how you jumped to conclusion that I was implying this is a pfsense problem solely on the basis that I was posting in the webgui section. What other section would I post a question about the webgui in?

johnpoz

It has ZERO to do with pfsense or its gui... Again you should be on your browsers of choice forums..

Or in the general section.. What your browser autofills has zero to do with pfsense gui at all.

Derelict has already completed this thread to be honest..

Do you think there is some code pfsense could put on its forms to tell chrome not to fill them?

JeGr

@johnpoz said in Chrome password auto-fill breaking IPv6:

Do you think there is some code pfsense could put on its forms to tell chrome not to fill them?

Actually there is. You can set autocomplete="xy" on a form field to signal browsers to stop form-filling or how they should handle them. BUT it also states clearly, that id/names of those fields should be pretty specific to trigger that. The field in question is "dhcprejectfrom" and I can't see how in the hell that should be a trigger to inject a "name" field in it. So either Chrome reads the form name and that triggers it or it's completely bonkers.

My 2c would be to actually stop password-filling/-saving in/from any browser and use a password safe (like keepass) and if you're lazy an extension for your favourite browser to have it fill your login forms after asking. Most extension that does so (lastpass for their service, kee/vault for keepass, etc.) have a much better matching algorithm or configuration on which sites they offer and on which the don't allow to fill in. I'm using a combo of auto-type or "kee" (extension) with keepass for years. Best thing ever. And inter-operable if you ever switch browsers for testing etc.

Derelict

I gave up on all of that browser plugin junk a couple years ago and now use the Lastpass mac application and copy/paste everything. They have made it pretty easy, I think in part due to my feedback. :)

This has the added benefit of being the same workflow for everything - even if it is not in the browser (or is in a secondary browser for testing reasons, etc).

stephenw10

If it's auto-filling a value in that field that value is stored somewhere and you should be able to remove it from Chrome.

I use Chromium all the time and have never hit that issue. The proxy pass/username auto-fill is very annoying though.

Steve

tcarlisle

Wow, the temperature in here sure is hot. Yeah, the OP did not in any way blame pfsense and did not demonstrate an expectation that pfsense would own resolving this.

Anyone that has researched this has found that getting google to consider changing the autofill behavior so it can be disabled on a per-site basis knows that is not going to happen any time soon.

That said, I was able to solve the problem I was seeing by going to my google account and removing saved login/password for the firewall. As long as I have it set to save credentials in google, then certain pages also populate my username on forms. For example, when viewing the admin page for an interface, in the "reject leases from" box., it would always put my login that was saved from the login page.

It probably isn't a particularly good practice to have your firewall credentials saved in a browser anyways.

I spent a little time looking at the page html and I can see no good reason why google chrome would mistake this field for the user's login. So this is clearly a chrome issue.

Raffi_

Agree with @bimmerdriver and @tcarlisle on this. The op did a service of letting others know about the issue and never actually requested a fix or placed blame on pfSense. Yes, the forum is mostly people trying to get a fix or requesting help, but it's not exclusively for those purposes. I often just browse random topics like this to learn from others.

Thanks for the heads up.

Raffi

stephenw10

Technically this should have been in general discussion if it was known not to be a pfSense issue initially.
I've moved it there now.

I've been bitten by this sort of thing and blamed pfSense in the past. It was the LastPass plugin in my case.

Steve