API to tell Chrome Password Manager that user has interacted with page

Post Reply
binki
Posts: 5
Joined: 30.08.13 19:00:37

API to tell Chrome Password Manager that user has interacted with page

Post by binki » 19.09.17 15:46:06

Hi,

I have the issue that Chrome refuses to autofill an

Code: Select all

<input type="password"/>
before the user physically clicks or keyboards inside the page. Is there some Chrome extension API which Tampermonkey could expose as a GM_ or TM_ API which could be used to force Password Manager to autofill the password fields in the form or perhaps just mark the page as having been interacted with physically by the user to trigger the password autofill?

Firefox always autofills passwords without waiting for the user to physically interact with the page, so that is why Greasemonkey does not provide a GM_ API for this. From my observations, this seems to be a different behavior in Chrome which prevents scripts which run successfully on Greasemonkey (Firefox) from running in Tampermonkey (Chrome).

See details at my question: https://stackoverflow.com/q/46268851/429091

Brief demo: Navigate to https://fiddle.jshell.net/xqfynp3e/22/show/light/?1 and save a password into Chrome. Then open Console and use

Code: Select all

window.location.href = 'https://fiddle.jshell.net/xqfynp3e/22/show/light/?1'
to navigate without accidentally marking the page as user-interacted with. Before clicking in the page: https://i.imgur.com/bPF774A.png After clicking in the page: https://i.imgur.com/PHv5AsZ.png . I want to somehow get past the click step with a new Tampermonkey API.

Thanks!

jcunews
Posts: 5
Joined: 28.09.17 15:11:00

Re: API to tell Chrome Password Manager that user has interacted with page

Post by jcunews » 28.09.17 20:12:31

AFAIK, Chrome doesn't expose its Password Manager to browser extensions, or expose it but doesn't provide a ways to auto fill a form on demand. No extension would be able to do anything if a browser function is not made accessible.

You can however, write your own form filler UserScript. If it includes password manager for problematic sites like you mentioned, you can do so too - preferrably with a master password or encryption so that the saved credentials can't be read without a key.

binki
Posts: 5
Joined: 30.08.13 19:00:37

Re: API to tell Chrome Password Manager that user has interacted with page

Post by binki » 10.10.17 17:25:46

Thanks for the response. It seems like, as you say, Chrome does not appear to provide in its API a way to ask the Password Manager to fill in passwords without requiring user interaction.

However, I’d like to share my findings for an experimental Web API Chrome offers which provides sufficient support for the functionality I was looking for. Chrome has support for https://w3c.github.io/webappsec-credential-management/ . If you use this API to get the credentials and perform a certain sort of setup procedure, Chrome will give content scripts access to credentials without requiring any user interaction.

You can trigger Chrome to show the “want to save this password?” dialog with navigator.credentials.store(new PasswordCredential({id: 'username', password: 'password'})).

You can determine if fully-automatic login is configured by the user by doing navigator.credentials.get({password: true, mediation: 'silent'});

You can get Chrome to display the prompt that gets the UI for automatic login to show up by running navigator.credentials.get({password: true}) (i.e., omit mediation). This is the ugly step. Basically, if you don’t request silent mediation, Chrome will always show the mediation UI and require the user to click. Also, if the user has multiple usernames for the site, silent mediation will never work. And silent mediation will only work if you do optional (default value for mediation) mediation once and the user clicks Login in Chrome’s UI and *then* the user also enables automatic login when Chrome asks the user subsequently.

I’ve tried to scrunge together a full pictorial demo here: https://imgur.com/a/ts2W1

Post Reply

Return to “Feature Requests”

Who is online

Users browsing this forum: No registered users and 1 guest