Document that Passff never autosubmits over http or make it an option.

[diviaki]

Versions

• Operating system: Pop_OS 21.04
• Browser: Firefox 94.0
• PassFF: 1.13
• Host app: passff.py 1.2.1

Status line output: [12:13:19] show -> (0) no error message

Steps to reproduce the issue

0. Make sure autofill and autosubmit is ON.
1. Visit a https:// site with credentials in pass
2. Visit a http:// site with credentials in pass

Actual behaviour

For 1, inputs got filled and submitted
For 2, inputs got filled and then nothing happens, even the debug log is silent.
The submit icon accessed from input field's passff icon also behaves like autosubmit, that is, doing nothing on a http site.

Expected behaviour

must have:
Passff should complain about sending passwords over an insecure channel and/or this behaviour should be in the readme.
nice to have:
A global option like 'warn about phishing sites' or even better a per site override just like (the so far undocumented) autosubmit: false option.

Reason for still dealing with http

For my use case I work on a handful of local sites accessed over VPN that do not and will not have ssl.

[tuxor1337]

When you try to fill your pass credentials on an unsafe page (e.g. with http-protocol), PassFF does warn about this already with a prompt (confirmation dialog). It never silently refuses to fill or submit. There is a global option to disable all phishing checks. Do you have that option disabled or enabled?

Since your bug report seems to suggest that PassFF silently refuses to submit forms on a http page, it would be interesting to be able to reproduce this. Unfortunately, there are almost no http-pages left on the internet. Maybe I can test this with a temporary http server on my localhost...

[diviaki]

OK I see where you coming from: https downgraded to http can be seen as a phising attempt.
I had that option off so far. Now that it's on the following happens over http:

1. The login input gets filled
2. An alert comes up: "There was an error parsing the URL (192.168.xxx.yyy:zzzz) from the password database. Do you want to continue anyway? Doing so may be a security risk. [OK|Cancel]"

Clicks OK>
3. Password input autofilled.
4. No autosubmit and no reason why it didn't happen, debug console: [PassFF.content] Message Page.submit received in content util.js:84:14

Clicks Cancel>
3. Password input is not autofilled
4. JS error: TypeError: passwordData is undefined page.js:752:1

Notes:

• the wording of the alert is somewhat misfortunate, (for me) it suggests that first of all I made a mistake in the url.
• this phising alert option seems to affect autofill which is fine and works as designed
• the phising alert option has no effect on autosubmitting which never happens over http

[tuxor1337]

it suggests that first of all I made a mistake in the url.

Yes, you did, apparently:

>>> new URL("192.168.0.1:3000")
Uncaught TypeError: URL constructor: 192.168.0.1:3000 is not a valid URL.
>>> new URL("http://192.168.0.1:3000")
URL { href: "http://192.168.0.1:3000/", origin: "http://192.168.0.1:3000", protocol: "http:", username: "", password: "", host: "192.168.0.1:3000", hostname: "192.168.0.1", port: "3000", pathname: "/", search: "" }

[diviaki]

I stand corrected.
I didn't realize the dialog is reporting 2 distinct errors.

[diviaki]

This gave me an idea:
When the URL in a pass file is http, allow autosubmit.