Some websites fail to login when "Automatically submit forms after filling" is on. But they work fine when it's off and press login manually. My suppose is that a delay could solve this issue.

can you post here some links where I could reproduce this issue?

https://online.sberbank.ru/CSAFront/index.do (It's russian only, unfortunately)
If you will enter some (wrong) login-password the red error will be shown.
But the result of browserpass autosubmit will be just a blank page (with correct or wrong password).

Thanks for the link, no worries I speak russian.

I've looked at the page, unfortunately the problem is bigger than just a missing delay, the html markup on that page basically doesn't conform to HTML standards, so browserpass is unable to submit the form correctly.

The submit button has no indication that browserpass can use to be confident enough that this is indeed a submit button, see for yourself:

Browserpass has a very carefully crafted list of "approved selectors" that are considered to be "submit buttons", I for sure don't want browserpass to click on wrong button when your credentials are present on a page.

However, the reason why you are navigated to a white page instead of just staying on the login page is the following: a form can have an "action", and according to the standard when you "submit" the form, a request is made to that URL:

Because browserpass was unable to find the submit button, it tried to submit the form itself, and apparently the "action" that is sberbank folks assigned to the form leads to the white page. Either it's not implemented yet, or it's their attempt to catch robots, but they did manage to confuse browserpass.

Unfortunately this is one of those cases where there's nothing I can do on browserpass side to support this page, if you can, try to reach their support channel and convince them to fix this bug, the submit page ideally must have type="submit", or at the very least contain "login" / "signin" string in the "id", "name" or "class" attribute.

In the next version of browserpass you will be able to disable autoSubmit on per-site basis, so at least you won't be redirected to a white page, but I can't say when the next version will be ready at the moment 😞

no worries I speak russian.

(:

Thank you for this investigation! Really there are two more sites I've experienced problem with.
https://esia.gosuslugi.ru/idp/rlogin?cc=bp (But now it works fine and I can't reproduce the error more.)
https://online.raiffeisen.ru/#/login/main (It works fine for the most part of logins, but in about 10 percent of cases it will logout just after login. I'm not sure if this is the browserpass problem.)

And more!
https://community.opencellid.org/
https://community.letsencrypt.org/
https://forum.f-droid.org/
That use the same engine discourse
(https://github.com/discourse/discourse https://www.discourse.org/)
Is it has the same problem as sberbank?

Awesome, if you find more examples, keep them coming!

Discourse is good one, there is something that needs to be done on our side (tracked by #261) and something that discourse team needs to do (they implemented it, but then accidentally broke it again - we chatted with @mcnesium yesterday, he will hopefully take it to the discourse team).

I'll look into the rest a bit later today!

In the next version of browserpass you will be able to disable autoSubmit on per-site basis

Nice! I have an additional idea: "to have the separate button that will fill only forms, without autoSubmit".

Should I open these two feature requests?

The first one is sorta in progress, don't really need a ticket for it :)

As for the separate button, right now I'm not convinced this is a good idea yet, because I can't imagine a good example where this would be useful, comparing to just disabling autoSubmit on per-site basis. And I think functionality must be very popular and widely used for it to warrant a new button, e.g. as you've seen elsewhere I have some regrets now about the OTP button :)

Can you think of some scenarios, examples where you would prefer that new button? Feel free to post here, or create a new issue, doesn't really matter to me.

Sounds reasonable.

BTW, is it possible to detect that form is not fully completed? (There are sites that require captcha but not every login).

Given that sites can't even follow standards for basic username/password/submit fields, you can imagine how many other possibilities there are to add captcha and other fields... So unfortunately no, it won't be possible 😞

The form has fixed input tags and you can check if all input fields are filled in, or I'm wrong?

It's not that simple, the first example that comes to mind is that not always there is a <form> at all, it could be visually a form but inside HTML just a bunch of <div>s and some input fields. But even when <form> tag is present, it's very common that websites put "invisible" input fields to track different things, some metadata, or catch robots.

Take sberbank form for an example, see how many input fields there are that need to remain empty:

I just think that it isn't worth the effort to even attempt to come with some reasonable solution to this.

I don't like autoSubmit at all to be entirely honest (as you might have guessed 😁), that's why I want to implement enabling them on site-by-site basis :)

• https://esia.gosuslugi.ru/idp/rlogin?cc=bp - can't repro either, seems fine :)
• https://online.raiffeisen.ru/#/login/main - logout after login does sound like their issue, login + autosubmit works
• https://community.opencellid.org/, https://community.letsencrypt.org/, https://forum.f-droid.org/ - all are based on discourse, and they have the same root case as discourse, their login button is located outside of the <form> tag and it's not linked to the form. Luckily Discourse team will fix the issue, and our part is tracked in #261 :)

Thanks again for link examples and your ideas :)

one more site: https://www.radiocells.org/

Hmm seems to work for me, assuming you solve captcha before using browserpass?

https://www.radiocells.org/user/login this page, right? What do you see?

assuming you solve captcha before using browserpass?
No, it shows captcha every time.

https://www.radiocells.org/user/login this page, right?
Yes

Hmm seems to work for me. What do you see?
Hmm, I've just logged in with browserpass autofill, but it was only one time.

I solve captcha before pressing browserpass. And I see: "Invalid login ×"

https://ticket.coreboot.org/login is one more.
browserpass fills "OpenID URL" with my username, so login fails.

I solve captcha before pressing browserpass. And I see: "Invalid login ×"

I even registered an account, autologin definitely works for me - could it be that you saved wrong credentials in your password store?

https://ticket.coreboot.org/login is one more, browserpass fills "OpenID URL" with my username, so login fails.

yeah this is good one! I cut corners in the past when trying to quickly implement OpenID support, I'll take care of it in the next version of browserpass.

could it be that you saved wrong credentials in your password store?
Oh, I'm sorry! My username was misspelled.

https://www.citilink.ru/login/
browserpass puts user's name into captcha field, not username

Really good one, fixed in v3, I'll working on releasing beta version these days, and will post details in another issue, would love if you could join helping to test it.

could join helping to test it
sure!

Since I received so good examples from you and several others recently, I decided to create a new permanently-open Github issue encouraging people to submit more examples, so if you spot more examples, submit them here: browserpass/browserpass-extension#62

To demonstrate you your impact, here's the list of recent PRs that have improved fill or submit logic 😉 :

• browserpass/browserpass-extension#40
• browserpass/browserpass-extension#52
• browserpass/browserpass-extension#55
• browserpass/browserpass-extension#58