W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > April 2010

[Bug 9602] That autofocus attribute will wreak security havok. What an ignorant idea to bring more logic to HTML. I think I know a couple of ways to abuse it, since it actually is some sort of flow control, which only scripting languages should be capable of. I hope

From: <bugzilla@jessica.w3.org>
Date: Wed, 28 Apr 2010 16:41:54 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1O7AKg-0006J8-Ef@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=9602





--- Comment #3 from Lachlan Hunt <lachlan.hunt@lachy.id.au>  2010-04-28 16:42:32 ---
This does not introduce any new security flaw that doesn't already exist
already with:

<input>
<script>
document.querySelector("input").focus();
</script>

In fact, the autocomplete attribute is significantly less harmful than the
script alternative because the UA has the option of opting out of providing
focus if the user has already begun interacting with something else.

Also, your attack vector depends on the user attempting to enter sensitive
information without first giving focus to another control, nor noticing that
they're not entering text into the intended control.  Your demo cannot log keys
at all once the user has given focus to anything else on the page.

I do not believe your concerns are valid at all.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 28 April 2010 16:42:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 28 April 2010 16:42:37 GMT