- From: John Foliot <john.foliot@deque.com>
- Date: Fri, 24 Nov 2017 11:20:35 -0600
- To: "w3c/wcag21" <reply+0012be731f34aefadf4e0578e2bfac27b03829a9da0699e292cf00000001162e5d0f92a16>, public-webappsec@w3.org
- Cc: "w3c/wcag21" <wcag21@noreply.github.com>, Subscribed <subscribed@noreply.github.com>
- Message-ID: <CAKdCpxz=o4wWuzWtuur8riQUKGcfrVAdtfVEHWG8oRp-rNYMZQ@mail.gmail.com>
Hi All, Adding the Web Application Security Working Group public mailing list to this thread (thanks in advance WebAppSec WG), to see if anyone over there has any current information about this. It's an interesting concern. A quick search tells me that I can edit all autofill field values directly from the browser settings (Chrome <https://www.pcworld.com/article/3145489/browsers/how-to-clear-unwanted-autofill-entries-in-google-chrome.html>here, Firefox <https://support.mozilla.org/en-US/kb/control-whether-firefox-automatically-fills-forms#w_deleting-individual-form-entries>here, Safari <https://macpaw.com/how-to/clear-autocomplete-on-mac-os-x>here, Edge <https://privacy.microsoft.com/en-US/windows-10-microsoft-edge-and-privacy>here), and/or disable them completely, although that may defeat our goal. As a quick explanation to the security folks, we are looking at mandating the use of the @autocomplete tokens in the next version of the Web Content Accessibility Guidelines (v. 2.1 <http://rawgit.com/w3c/wcag21/master/guidelines/index.html>) - or at least a subset of the full 52-odd token values in HTML 5 today (this is still in flight and not yet completely nailed down). While autocomplete is a help to many users, for those users with cognitive disabilities, this feature is significantly more useful and important (think for example of a user who is dyslexic - having their zip code 'remembered' reduces their need to ensure they always get the numbers correct, and in the correct order.) Given what appears to be a significant privacy and security concern here, is there any indication from the browser vendors around addressing these concerns? More importantly, if we were to mandate the use of those tokens (target date for our next Rec is June 2018), will we run into issues down the road? It seems that the autocomplete feature has been shipping for at least 5 years now, so I personally suspect it isn't going to go away, but additionally, the concerns raised seem to be in the category of "Big Deal". Any information that WebAppSec WG members could provide (either collectively or individually) would be most gratefully received. Thanks in advance JFb Application Security Working Group On Thu, Nov 23, 2017 at 3:55 AM, Alastair Campbell <notifications@github.com > wrote: > I picked up a comment from @StommePoes <https://github.com/stommepoes> on > twitter (thread <https://twitter.com/stommepoes/status/933594053375127552>) > about the security of autofill. > > This is to a great extent an issue with the browser implementations, but > it is relevant because if the browsers don't solve it then autofill is > likely to go-away. That would undermine the SC. > > For example, if the browser auto-fills fields by default, any site could > hide input fields out of view and collect your credit card details. > > I think current implementations wait for you to fill in one field (e.g. > name) and then it fills in the others, but again the site can hide fields. > This example video > <https://video.twimg.com/tweet_video/C1UYX2LXcAA_KYJ.mp4> from > @anttiviljami <https://twitter.com/anttiviljami/status/816585860661518336> > shows it working now. > > There are also issues with tracking scripts sucking data from the page > <https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/>, > even if a form isn't submitted they can still get the auto-filled data. > > Apparently most recent security advice > <https://twitter.com/stommepoes/status/933622256911224832> is to disable > autofill in your browser. > > I have a few suggestions: > > - Find someone in W3C with knowledge of what browsers are doing about > this (I couldn't find much from a quick search). > - Put a note in the understanding that there are potential security > issues. > - Make clear to anyone currently implementing a browser extension they > need to try and mitigate these effects. > > Hopefully the browsers will solve this (e.g. only fill in visible fields, > and only on request), but there could be reasons that is hard or impossible > to do. > > — > You are receiving this because you are subscribed to this thread. > Reply to this email directly, view it on GitHub > <https://github.com/w3c/wcag21/issues/590>, or mute the thread > <https://github.com/notifications/unsubscribe-auth/ABK-c5w86I3WqnjwzBmiVecTzhix2hKnks5s5UEPgaJpZM4Qofqh> > . > -- John Foliot Principal Accessibility Strategist Deque Systems Inc. john.foliot@deque.com Advancing the mission of digital accessibility and inclusion
Received on Friday, 24 November 2017 17:21:01 UTC