Skip to content

fix: Prevent Firefox password autofill in channel search bar #37145

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kodiakhq merged 1 commit into from
Oct 6, 2025
Merged

fix: Prevent Firefox password autofill in channel search bar #37145

kodiakhq merged 1 commit into from
Oct 6, 2025

Conversation

@DSingh0304
Copy link
Contributor

@DSingh0304 DSingh0304 commented Oct 6, 2025
edited by coderabbitai bot
Loading

Proposed changes (including videos or screenshots)

This PR fixes an issue where Firefox browser incorrectly shows password autofill suggestions when users click on the channel search bar in the sidebar.

Problem:
Firefox's aggressive autofill detection was misidentifying the search input field as a password field, causing it to display saved password suggestions instead of allowing users to search for channels normally.

Solution:
Added autoComplete='off' attribute to the TextInput component in the SearchList component. This explicitly tells Firefox (and other browsers) not to offer autocomplete/autofill suggestions for this field.

Screenshot from 2025-10-06 13-18-06

Technical Details:

  • Modified: apps/meteor/client/sidebar/search/SearchList.tsx (line 348)
  • Added the autoComplete='off' prop to the search TextInput
  • This matches the existing implementation in the NavBarSearch component which already has this attribute for the same purpose

Impact:

  • Prevents Firefox from showing password suggestions in the search bar
  • Does not affect functionality for other browsers
  • Improves user experience when searching for channels
  • Minimal, non-breaking change

Issue(s)

Fixes #37113

Steps to test or reproduce

Prerequisites:

  • Firefox browser (latest version)
  • Some passwords saved in Firefox

Reproducing the bug:

  1. Open Rocket.Chat in Firefox browser
  2. Have some saved passwords in Firefox
  3. Click on the channel search bar in the sidebar (or press Ctrl+K / Cmd+K)
  4. Bug: Firefox shows a dropdown with saved passwords instead of search functionality

Verifying the fix:

  1. Apply this PR
  2. Open Rocket.Chat in Firefox
  3. Click on the channel search bar (or press Ctrl+K / Cmd+K)
  4. Expected: No password suggestions appear
  5. Expected: Only channel and user search results are displayed
  6. Expected: Search functionality works normally

Tested:

  • ✅ Tested locally in Firefox (latest version)
  • ✅ Search functionality works correctly
  • ✅ No password autofill suggestions appear
  • ✅ Other browsers (Chrome, Edge) unaffected
  • ✅ Keyboard shortcut (Ctrl+K) works correctly

Further comments

This is a simple, one-line fix that addresses a long-standing UX issue reported in #37113.

The solution is consistent with the existing codebase - the NavBarSearch component already uses autoComplete='off' for the same purpose (see apps/meteor/client/NavBarV2/NavBarSearch/NavBarSearch.tsx line 84).

The autoComplete='off' attribute is a standard HTML5 attribute supported by all modern browsers and is the recommended way to disable browser autofill/autocomplete on form fields.

Why this works:
Firefox uses heuristics to detect password fields and automatically suggests saved passwords. By explicitly setting autoComplete='off', we tell the browser that this field should not use autocomplete, preventing the unwanted password suggestions.

Checklist:

  • I have read the Contributing Guide
  • I have signed the CLA (will sign when prompted by the bot)
  • Lint and unit tests pass locally with my changes
  • Code follows project conventions and style guide
  • Changes tested in Firefox browser
  • Tests added (N/A - this is a UI behavior fix with no logic changes)
  • Documentation updated (N/A - internal implementation detail, no user-facing documentation needed)

Summary by CodeRabbit

  • Bug Fixes
    • Disabled browser autocomplete in the search field to prevent conflicting suggestions with in-app results.
    • Eliminates UI overlap and jitter caused by native dropdowns, improving clarity while typing.
    • Enhances privacy by not exposing past queries and ensures consistent behavior across browsers.

@DSingh0304
[FIX] Prevent Firefox password autofill in channel search bar
cb584d7 
- Added autoComplete='off' attribute to search TextInput in SearchList component
- Prevents Firefox from incorrectly suggesting saved passwords when users click the channel search bar
- Matches the existing implementation in NavBarSearch component

Fixes issue where Firefox confuses search bar for password field
@DSingh0304 DSingh0304 requested a review from a team as a code owner October 6, 2025 07:58
@dionisio-bot
Copy link
Contributor

dionisio-bot bot commented Oct 6, 2025
edited
Loading

Looks like this PR is not ready to merge, because of the following issues:

  • This PR is targeting the wrong base branch. It should target 7.12.0, but it targets 7.11.0

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

@changeset-bot
Copy link

changeset-bot bot commented Oct 6, 2025

⚠️ No Changeset found

Latest commit: cb584d7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 6, 2025
edited
Loading

Walkthrough

Added the autoComplete="off" attribute to the sidebar search TextInput component in SearchList.tsx to disable browser autocomplete.

Changes

Cohort / File(s) Summary
Sidebar search input attributes
apps/meteor/client/sidebar/search/SearchList.tsx		 Set TextInput prop autoComplete="off" to prevent browser autocomplete on the channel search field.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

A hop, a tap, no ghosts of keys,
I nose the search with gentle ease.
No passwords fall like autumn leaves—
Just channels whisper in the breeze.
Thump-thump! I browse with carefree glee,
A rabbit safe from autofill’s spree. 🐇🔎

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues Check ✅ Passed The pull request directly implements the linked issue’s objective by adding autoComplete="off" to the channel search input, which prevents Firefox from offering saved password suggestions and fulfills issue #37113’s requirement.
Out of Scope Changes Check ✅ Passed The only modification in this pull request is the addition of autoComplete="off" to the search TextInput in SearchList.tsx, and there are no unrelated or extraneous changes beyond this scope.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
Title Check ✅ Passed The title clearly and concisely describes the main change of disabling Firefox’s password autofill in the channel search bar, matching the PR’s primary objective without extraneous details.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Oct 6, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (1)
apps/meteor/client/sidebar/search/SearchList.tsx (1)

341-350: Good fix; consider hardening with form-level autocomplete and type='search'.

Adding autoComplete='off' on the input should stop Firefox’s password suggestions. To further reduce password manager heuristics:

  • Add autoComplete='off' to the form element too.
  • Set type='search' and a stable non-credential name.

Please confirm Sidebar.TopBar.Section forwards autoComplete to the underlying <form>.

Proposed diff:

-			<Sidebar.TopBar.Section {...({ flexShrink: 0 } as any)} is='form'>
+			<Sidebar.TopBar.Section {...({ flexShrink: 0 } as any)} is='form' autoComplete='off'>
 				<Box mb='x12' w='full'>
 					<TextInput
+						type='search'
+						name='sidebar-search'
 						aria-owns={listId}
 						data-qa='sidebar-search-input'
 						ref={autofocus}
 						{...filter}
 						placeholder={placeholder}
 						role='searchbox'
 						autoComplete='off'
 						addon={<Icon name='cross' size='x20' onClick={onClose} />}
 					/>
 				</Box>
📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f627e67 and cb584d7.

📒 Files selected for processing (1)
  • apps/meteor/client/sidebar/search/SearchList.tsx (1 hunks)

@DSingh0304 DSingh0304 changed the title [FIX] Prevent Firefox password autofill in channel search bar fix: Prevent Firefox password autofill in channel search bar Oct 6, 2025
@DSingh0304 DSingh0304 mentioned this pull request Oct 6, 2025
Closed
@tassoevan tassoevan added this to the 7.12.0 milestone Oct 6, 2025
@tassoevan tassoevan added the stat: QA assured Means it has been tested and approved by a company insider label Oct 6, 2025
@dionisio-bot dionisio-bot bot added the stat: ready to merge PR tested and approved waiting for merge label Oct 6, 2025
@codecov
Copy link

codecov bot commented Oct 6, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 64.14%. Comparing base (f627e67) to head (cb584d7).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##           develop   #37145      +/-   ##
===========================================
- Coverage    67.43%   64.14%   -3.30%     
===========================================
  Files         3332     2897     -435     
  Lines       113607   106236    -7371     
  Branches     20608    18823    -1785     
===========================================
- Hits         76614    68142    -8472     
- Misses       34394    36184    +1790     
+ Partials      2599     1910     -689
Flag Coverage Δ
e2e 42.75% <ø> (-14.66%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@kodiakhq kodiakhq bot merged commit 3309f90 into RocketChat:develop Oct 6, 2025
86 of 92 checks passed
debdutdeb pushed a commit that referenced this pull request Oct 7, 2025
@DSingh0304 @debdutdeb
fix: Prevent Firefox password autofill in channel search bar (#37145)
8807db4
juliajforesti pushed a commit that referenced this pull request Oct 8, 2025
@DSingh0304 @juliajforesti
fix: Prevent Firefox password autofill in channel search bar (#37145)
035fe82
juliajforesti pushed a commit that referenced this pull request Oct 8, 2025
@DSingh0304 @juliajforesti
fix: Prevent Firefox password autofill in channel search bar (#37145)
f8e6a0c
@coderabbitai coderabbitai bot mentioned this pull request Dec 29, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@tassoevan tassoevan tassoevan approved these changes

Assignees

No one assigned

Labels

stat: QA assured Means it has been tested and approved by a company insider stat: ready to merge PR tested and approved waiting for merge

Projects

None yet

Milestone

7.12.0

Development

Successfully merging this pull request may close these issues.

Firefox mixes up channel search field as password field

3 participants

@DSingh0304 @tassoevan @ggazzo