Password Manager Support for WWW-Authenticate


#1

If you access a website that uses the WWW-Authenticate header (BASIC, NTLM, etc.); password managers don’t auto-fill. I’m not sure if this is an oversight with the password managers themselves, however, Chrome also had this issue (with both 1Password and Dashlane) - this leads me to believe that this is because the credential popup is a “native” modal and not a HTML page; meaning that extensions have no access to it.

Two solutions come to mind:

  • Embed a built-in HTML page in the modal instead of using native controls. Fake the location (using the URL of the page requesting auth) and give password managers (only) access to that page.
    • Cons: This feels like a hack.
    • Pros: Vendors won’t need to change anything in order to support this, they would simply work when this feature ships. Consistent password manager experience (especially with stuff like the Dashlane autofill icon or 1Password hotkey).
  • Allow password managers to hook into the modal with some API.
    • Cons: This is a non-standard proprietary solution. “Invented here:” UX would have to be solved by Brave.
    • Pros: Could be adopted as a standard API by all browsers.

#2

Hi, the issue is discussed here: https://github.com/brave/browser-laptop/issues/1042

Thanks!