Using the browser extension (Firefox), I generally like to have autofill on, but it can have ill effects on personal settings pages or even admin dashboards with API key fields and such where you wouldn’t want the site login data autofilled so readily, especially if a field is out of view and you don’t notice it happening.
Is there a way of having a global block list of URL regexes so that you wouldn’t need to tweak hundreds of login items to make exceptions for sensitive pages?
I actually did try (with autofill on) going to Settings > Autofill > Additional options and adding a simple regex like word$ to see if this would negate the autofill behavior on a login page with the URL ending in word and it does seem to work. A different login page autofills fine but the first one it’s blocked. Great, I actually expected it to work the opposite before making the regex more complex to actually reject that word but maybe it’s just inverting whether autofill is set on/off or something (which seems a little dangerous)?
Anyway, I can see nowhere in the UI that this rule is in effect. In fact there’s no OK or Save button for even entering the regex but apparently it took effect. Now I just can’t see the rule anywhere to be able to edit or remove it.
I assume you mean “Autofill on page load”. By itself, “autofill” is an umbrella term that covers all method for transferring secrets from the vault into an online form.
Autofill on page load can have bad effects if combined with lax URI matching (such as “Base Domain”).
No, but at a minimum, I would suggest changing the Default URI Match Detection setting to “Host”, and then fix any entries that no longer match.
Where did you enter that regex expression? The Settings page does not have any UI for entering a regex string. If you the Default URI Match Detection setting to “Regular expression”, then the URI strings stored in any login item will be interpreted as a regex, if the corresponding URI match detection method has been left as “Default”.
If you want help troubleshooting this, please provide more detail about the URI strings stored in the relevant login items, and about the web page URLs involved.
It is more likely that some unrelated behavior caused you to think that your regex “took effect”. If you disagree, please provide sufficient detail to allow me to reproduce the behavior that you’ve observed.