- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 2 Oct 2014 08:48:58 +0200
- To: Dan Poltawski <dan@moodle.com>
- Cc: WHATWG <whatwg@lists.whatwg.org>, Gavin Sharp <gavin@gavinsharp.com>, Peter Kasting <pkasting@google.com>
On Thu, Oct 2, 2014 at 3:12 AM, Dan Poltawski <dan@moodle.com> wrote: > The most basic case of autocompleting on the same site is the one > which is most problematic for us. > > A traditional username/password to login to the site with autocomplete > enabled and functioning as expected - but then after the user has > logged in, they do something on a page with one of these (i'll now > call) masked fields, and without them noticing - that field is > autocompleted with their login password. Previously we could prevent > that behaviour by disabling autocomplete on these fields. > > Note a more traditional example of this which might affect more sites > is something like a 'create new user' form where the password would be > erroneously set to the password of the user who is creating the > accounts. https://html.spec.whatwg.org/multipage/forms.html#autofill has some ways of managing autofill. I'm not sure how much of it is implemented. >From that it seems you could use autocomplete=new-password, although if that works as advertized it would have the problem Daniel Cheng mentioned, so perhaps it's only used as heuristic. -- https://annevankesteren.nl/
Received on Thursday, 2 October 2014 06:49:24 UTC