My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 32056: Feature Request: API access to HTTP AUTH window, Basic Auth window from Extension
993 people starred this issue and may be notified of changes. Back to list
Status:  Assigned
Owner:  cbentzel@chromium.org
Cc:  a...@chromium.org, erik...@chromium.org, jochen@chromium.org, e...@thedalzells.org, battre@chromium.org

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by joe-...@lastpass.com, Jan 12, 2010
Chrome Version       :  4.0.288.1 dev and below
URLs (if applicable) : Any that generates a http auth security prompt e.g.
http://titan.lastpass.com/nagios3/
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
     Safari 4: OK
  Firefox 3.x: OK
         IE 7: OK
         IE 8: OK

Chrome extensions currently do not have any access to the HTTP Auth window.
 This is available in the other major browsers (Firefox is the best
example) and is LastPass's most requested feature addition on Chrome.
Jan 12, 2010
#1 SergeiKu...@gmail.com
I need FullFeatured free version of LastPass for Chrome badly. This is the only thing 
that prevent me to migrate on Chrome.
Jan 12, 2010
#2 suna...@chromium.org
(No comment was entered for this change.)
Status: Untriaged
Labels: -Type-Bug -Area-Undefined Type-Feature Feature-Extensions
Jan 13, 2010
#3 a...@chromium.org
Scripting the UI windows is a bit weird. Would access to intercept HTTP requests 
directly address this need? (We have considered the ability to intercept http requests 
for other reasons).
Jan 13, 2010
#4 joe-...@lastpass.com
The UI window is where LastPass captures and inserts passwords in Firefox/Safari/IE.
 It provides a way to override easily what we're auto-populating by the end user and
a way for LastPass to capture the password used, and to present a drop down menu if
there are multiple choices.  

With digest auth for example we would miss the opportunity to capture the actual
password if we were limited to HTTP request interface as the password doesn't hit the
wire...
Jan 13, 2010
#5 joe-...@lastpass.com
I should mention that we'd like the HTTP request interface also but for other reasons
(AJAX capture), but it's not as critical to user experience as scripting the UI
windows is for LastPass.
Jan 30, 2010
#6 phajdan.jr@chromium.org
(No comment was entered for this change.)
Labels: Area-Feature
Feb 3, 2010
#7 dick.sch...@gmail.com
This is a must have, all other browsers support accessing these windows. It prevents
me using Chrome - so until this is fixed will stay with Firefox.
Feb 3, 2010
#8 ajal...@gmail.com
I'm also waiting for this. It's preventing me from  migrating from FF to Chrome.
Feb 16, 2010
#9 lafo...@chromium.org
(No comment was entered for this change.)
Labels: -Area-Feature Area-UI
Feb 22, 2010
#10 a...@chromium.org
Joe, can you clarify: if you had a way to intercept http requests and modify their headers, 
would you still need the API to script the UI this way?

I would prefer an extension API that allows you to modify HTTP requests than one that 
allows you to script UI that is more subject to change.
Feb 22, 2010
#11 joe-...@lastpass.com
I would still need to script the UI -- a simple example is at the HTTP header level I
can't capture digest auth passwords at all without doing something horrible*.   Also
the only natural place to provide login choice is in the UI.

* - the only way I could think of was acting as a MITM proxy and changing digest to
basic before chrome processes it and then replacing that with digest on the requests
sent to the server.  
Mar 1, 2010
#12 asargent@chromium.org
(No comment was entered for this change.)
Status: Available
Mar 9, 2010
#13 mishag...@gmail.com
Could Google's be worried about this being used to build virus/worms that defeat some 
level of security?

I notice that the built in password management for chrome DOES seem to "cache" the 
last username and password.   Could you possibly modify the values stored in Chrome's 
password cache?   

OR - could you build the solution as part of "Lastpass for applications"  If lastpass 
for applications can see the GUI prompt it could check the chrome extension to see if 
it's due to a matching URL request and modify the popup from there.   You could even 
do a small "side" popup to give you different password/Autofill choices.

Just a thought.   

Any response from Google on their position with this extension?   It might be useful 
to generate a "compatible" Chromium branch that you could submit to Google as a 
suggestion for how to implement the support.   That might be faster than just 
pleading.   You could at least get the "Chromium" open source environment outside of 
Google to discuss the issue directly.


Mar 18, 2010
#14 yllws...@gmail.com
I have to concur. This is a very desired feature for me. I depend on LastPass for all 
my passwords. I can't use Chrome solely with LastPass for this reason. Have to use 
Firefox. >.<
Mar 18, 2010
#15 themal...@gmail.com
Scripting the UI is also a necessary thing for the KeePass Auto-Type Feature. There's 
already an extension appending the current url to the window title ( 
https://chrome.google.com/extensions/detail/ignpacbgnbnkaiooknalneoeladjnfgb ), but not 
for Login dialogs. This badly interrupts the user experience and makes me stay on 
Firefox.
May 6, 2010
#16 mamc...@gmail.com
I'm also waiting for this. It's preventing me from  migrating from FF to Chrome.

May 26, 2010
#17 thomas.p...@gmail.com
Now, Version 5.0 is out and there is no solution.
May 26, 2010
#18 brett.wh...@gmail.com
Version 5? Thomas they are up to Version 6! I'm using build. 6.0.408.1
May 26, 2010
#19 thomas.p...@gmail.com
Sorry, I meant Chrome
May 26, 2010
#20 joe-...@lastpass.com
I visited the Chrome team while I was out at Google IO; unfortuantely they don't see
this as a very desired feature so it's not clear when or if this would be supported,
we at LastPass may need to look into alternative ways of supporting it.
May 26, 2010
#21 brett.wh...@gmail.com
@thomas
I mean Chrome too...
chrome.jpg
52.7 KB   View   Download
May 26, 2010
#22 thomas.p...@gmail.com
Thx, but when the Chrome Team see this "feature" ( *lol* ) not as desired so it
doesn't matter if its version 5 or 6 :-)
May 26, 2010
#23 caselo...@gmail.com
Chrome has password syncing in their chromium builds, and it's possible that they're 
working on implementing something that will essentially be lastpass-type functionality, 
but built-in.  This might be why they're reluctant to open up the API for LP to do 
this.  Just a thought...

I wish they would do this though.  If the above is true, that would be a lame move that 
kind of goes against the openness that google preaches.  So let's hope that's not the 
case!
May 26, 2010
#24 thomas.p...@gmail.com
@caselogic
I think this is also a reason why xmarks offers only bookmark sync but no password sync.
May 26, 2010
#25 brett.wh...@gmail.com
The internal Chrome password system cant save HTTP AUTH passwords can it? So 'MAYBE' 
they will open it up when the internal chrome system needs that function too.

I use Lastpass because of the security issues related to Chromes password saver, so 
even when password sync is the norm, I'll still use Lastpass.

@Thomas, That is true, sadly. (sorry for being a smart ass)
May 26, 2010
#26 caselo...@gmail.com
I was under the impression that Chrome could in fact save HTTP AUTH passwords.  I can't 
test right now, but I am fairly sure.  I've been using LP for a long while now, though, 
so I can't remember 100%
May 27, 2010
#27 thomas.p...@gmail.com
@caselogic
Do you know what the topic is of this issue?
Chrome saves already HTTP AUTH passwords but doesn't offer this informations to any API.
May 27, 2010
#28 caselo...@gmail.com
@thomas

I was replying to the post above mine, sorry if that wasn't clear.
Jul 16, 2010
#29 sidney.e...@gmail.com
If this is your only reason for not switching from FF to LP for password management, then you should reconsider.  I agree that Chrome integration would be great, but in the meantime there is a relatively easy workaround to fill HTTP AUTH passwords.

To save the username/password, create a new site in LP.  Provide the username and password and be sure to provide the exact URL you will be navigating to.

To fill the username/password when you visit the site: 

1) Navigate to the site requiring the HTTP AUTH
2) In the LP menu in the Chrome toolbar, select the site (at the bottom) and edit.  A new browser window opens where you can edit your password info for this site.
3) Show password
4) Copy and paste the username and password, one at a time, into the site (previous window).

It's not elegant, but it only takes 5 seconds... certainly not so cumbersome that it prevented me from switching to LP.  And I'm optimistic that eventually there will be a more elegant solution.
Jul 16, 2010
#30 psyb...@gmail.com
You don't have to select 'edit', there is an option to copy the username and password (separately) directly in that menu.  This will save you the step of having to click 'show password' (and also prevent opening up a new tab).
Jul 16, 2010
#31 thomas.p...@gmail.com
"there is an option..."
Can you tell the exact name of this "option"
Jul 16, 2010
#32 psyb...@gmail.com
I thought the names 'Copy username' and 'Copy password' were self-explanatory enough.  They are right above 'Edit'.
lp.png
11.5 KB   View   Download
Jul 16, 2010
#33 thomas.p...@gmail.com
thx, got it, but never seen such a circuitous way :P
Jul 16, 2010
#34 psyb...@gmail.com
I should probably point out to everyone using this feature as a workaround, be sure you copy your password first THEN your username!  Otherwise you will wind up with your password sitting in your clipboard and you might accidentally expose it somewhere else.

And of course, if you have any malware monitoring your clipboard it will get your login info.
Jul 20, 2010
#35 IBNob...@gmail.com
There is an easier way around this, but it is much less secure.

HTTP Passwords can be entered in the URL.

HTTP://username:password@www.HTTPPasswordwebsite.com

If you store your username/password link in a bookmark, it will automatically log you into those pages.

Don't use this for your bank account, obviously...
Jul 26, 2010
#36 dick.sch...@gmail.com
@chromiumm people: any update on this? please make the auth window accessable - Chrome is the only browser which does not support this basic function.
Jul 26, 2010
#37 peteraro...@gmail.com
Please Chrome let us have this basic function! I'm getting tired of using Copy Password. 
Jul 26, 2010
#38 qaelith....@gmail.com
If it would at all be helpful to bring this into perspective, the lack of this functionality is preventing one of the most popular extensions from being as functional as the implementations on every other browser.  I'm surprised that making it possible for the top extensions to do what they need to do isn't more of a priority.
Jul 26, 2010
#39 kroko...@gmail.com
please implement this feature. I could not live without password manager with HTTP auth support.
Aug 2, 2010
#41 wernerb...@gmail.com
Please implement this feature, people really need this.
Aug 2, 2010
#42 sean.t...@gmail.com
There is clearly a balance here between the interests of architectural purity and those of user functionality.
Pure architecture and high security are useless if users won't use the systems that embody them.

Please implement the feature!
Aug 2, 2010
#43 caselo...@gmail.com
No developer has addressed this in 5 months =(
Aug 2, 2010
#44 joe-...@lastpass.com
LastPass will work around this issue - expect a release that handles HTTP Auth this week for windows, we'll be attempting OS X and Linux too.   This will require the binary version of the LastPass addon. 
Aug 10, 2010
#45 joe-...@lastpass.com
Limited HTTP Auth filling support has been added in the binary version of LastPass for Chrome version 1.69.5+  It's currently fill only -- you should add your HTTP Auth sites by using LastPass for Firefox, IE, or Safari first then you can use them in Chrome.  http://lastpass.com/support_faqs.php#chromebasicauth
Aug 10, 2010
#46 yllws...@gmail.com
Hey Joe,

I've downloaded and installed the binary version but my Chrome version still shows the following:
"LastPass Chrome Toolbar

Version: 1.69.3
Built: Thu Jul 22 13:55:44 EDT 2010
Binary Component: true"

Where is the 1.69.5 and higher version?

Thanks, and g.r.e.a.t product! :)
Aug 10, 2010
#47 david.j....@gmail.com
@yllwsmly: it's here https://lastpass.com/misc_download.php

@joe: it doesn't work for me because I have multiple possible logins and it only substitutes the first one LP has for that site; I can't choose which I want.
Aug 10, 2010
#48 joesiegr...@gmail.com
@david.j.earl  you can choose!  Just hit LastPass Icon -> Site -> Autofill icon -- will work

Aug 10, 2010
#49 guillaume.boudreau
Guys, can you please move your LastPass-related discussions into the proper support channels? (i.e. not in a Chromium Issue comments)
Thank you.
Aug 10, 2010
#50 yllws...@gmail.com
Apologies Guillaume. >.<
Sep 7, 2010
#52 thakis@chromium.org
(No comment was entered for this change.)
Cc: a...@chromium.org erik...@chromium.org
Sep 10, 2010
#53 a...@chromium.org
(No comment was entered for this change.)
Labels: Mstone-X
Sep 10, 2010
#54 chachi%k...@gtempaccount.com
Please make the HTTP_AUTH window accessible to extensions so that tools like 1Password will work.
Sep 10, 2010
#55 caselo...@gmail.com
There is no need to repeat the original issue or anything everyone else has been saying. Just star the issue and wait patiently.
Sep 14, 2010
#56 a...@chromium.org
Doing a bug scrub. This feature request still seems valid because as joe@lastpass.com says, there is no way to get the original passwords.

I think perhaps the way to implement this would still be in the network api ( bug 50943 ). Perhaps there could be events for when these credentials are wanted by the system, and for when they are filled in by the user.
Cc: joc...@chromium.org
Oct 29, 2010
#57 ian.chil...@gmail.com
Hi,

I am also waiting for this - please could it be actioned in Chrome.

Thanks,

Ian

Oct 29, 2010
#58 a...@chromium.org
(No comment was entered for this change.)
Labels: Restrict-AddIssueComment-Commit
Mar 23, 2011
#59 dmaclach@chromium.org
 Issue 76864  has been merged into this issue.
Cc: e...@thedalzells.org
Apr 6, 2011
#60 cbentzel@chromium.org
(No comment was entered for this change.)
Labels: Internals-Network-Auth
May 13, 2011
#61 rahu...@chromium.org
(No comment was entered for this change.)
Labels: -mstone-x
Jul 21, 2011
#62 battre@chromium.org
(No comment was entered for this change.)
Cc: battre@chromium.org
Sep 22, 2011
#63 cbentzel@chromium.org
(No comment was entered for this change.)
Status: Started
Owner: cbentzel@chromium.org
Oct 11, 2011
#64 cbentzel@chromium.org
http://codereview.chromium.org/8015004/ landed a few hours today.

This adds support to the onAuthRequired listener in webRequest to provide authentication credentials. 

When an onAuthRequired listener is registered as "blocking", it can return a BlockingResponse object. 

For example, to return authentication credentials, return from the listener:

{authCredentials: {username: "foo", password: "bar"}}

If an empty object is returned, then the default authentication behavior is used for the request - typically an authentication prompt will be displayed, but for some background requests the request will simply fail.
Nov 8, 2011
#65 battre@chromium.org
Can we close this bug?
Nov 8, 2011
#66 cbentzel@chromium.org
Two things I could imagine adding to the API.

- An onAuthProvided listener which provides username/password and a Details object with the credentials the user provided.

- An onAuthFailed listener which provides a Details object. Currently this is implicit with a duplicate onAuthRequired with the same details, but it may be easier to have a separate listener. This would be necessary if we limit the number of times that an extension can provide credentials for a request to N attempts - otherwise there is no feedback that the N'th attempt failed. 
Dec 5, 2011
#67 cbentzel@chromium.org
Marking as fixed. Will enter a bug for the onAuthProvided/onAuthFailed API access.
Dec 5, 2011
#68 cbentzel@chromium.org
Actually, I'll just leave this alive for the issues listed in #66, rather than enter separate bugs. Enough people are starred on this bug that it will be busy work to track the new bugs. 
Status: Fixed
Dec 5, 2011
#69 cbentzel@chromium.org
(No comment was entered for this change.)
Status: Assigned
Mar 10, 2013
#70 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Feature-Extensions -Area-UI -Internals-Network-Auth Cr-Platform-Extensions Cr-Internals-Network-Auth Cr-UI
Mar 13, 2013
#71 lafo...@google.com
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Sign in to add a comment

Powered by Google Project Hosting