- From: CSS Meeting Bot via GitHub <sysbot+gh@w3.org>
- Date: Wed, 19 Jan 2022 16:22:10 +0000
- To: public-css-archive@w3.org
The CSS Working Group just discussed `input-security considered harmful`. <details><summary>The full IRC log of that discussion</summary> <TabAtkins> Topic: input-security considered harmful<br> <TabAtkins> github: https://github.com/w3c/csswg-drafts/issues/6788<br> <TabAtkins> florian: I disagreed with just one of his statements, not all<br> <TabAtkins> florian: In UI4 we introduced 'input-security: auto | none'<br> <TabAtkins> florian: 'auto' does nothing by default, but on password fields (and other host-defined "sensitive" things) it obscures the text via *** or whatever<br> <TabAtkins> florian: 'none' turns that off<br> <TabAtkins> florian: Mats says this is a useful feature, but shouldn't be under the author's control, needing them to use JS on things.<br> <TabAtkins> florian: UAs are also much more likely to get a11y right on things like this.<br> <TabAtkins> dholbert: Also Edge already does this by default with a little button on password fields<br> <TabAtkins> astearns: Anyone implemented the CSS value?<br> <TabAtkins> TabAtkins: WebKit did, Chrome inherited it pre-fork<br> <fantasai> TabAtkins: Not ok to drop without a replacement<br> <fantasai> TabAtkins: maybe mark as deprecated and that we will remove, once HTML spec is updated to require<br> <fantasai> TabAtkins: No mandatory UI, but required functionality<br> <TabAtkins> smfr: I don't have much of an opinion.<br> <TabAtkins> smfr: If we need it internally we can keep it internally, don't have a strong opinion<br> <fantasai> florian: Can we not have the dependency on HTML?<br> <fantasai> TabAtkins: The functionality is useful<br> <fantasai> TabAtkins: optimal place is not in CSS, but if we don't have the functionality otherwise should leave it in<br> <fantasai> florian: I'm saying we drop it from CSS now, and encourage browsers to do the right thing<br> <fantasai> florian: rather than not removing it now<br> <fantasai> TabAtkins: That falls into the failure mode that's likely, which is that we remove it and nothing happens to HTML<br> <fantasai> TabAtkins: and I think this is useful enough for users that we shouldn't encourage nothing<br> <oriol> Firefox also has a UA button to show text (like Edge) behind pref: layout.forms.input-type-show-password-button.enabled<br> <fantasai> florian: Chrome has it?<br> <fantasai> TabAtkins: yeah<br> <fantasai> florian: Edge has it?<br> <fantasai> dholbert: Firefox also has it on Nightly<br> <fantasai> florian: So seems like the scenario of not having it is unlikely<br> <fantasai> Rossen: talking about the property?<br> <fantasai> florian: The behavior of being able to reveal the passwrod<br> <jensimmons> Issue at HTML: https://github.com/whatwg/html/issues/7293<br> <fantasai> TabAtkins: We don't have it in Chrome<br> <fantasai> ??: We disabled in Chrome because of compat issues<br> <fantasai> astearns: Issue in HTML spec?<br> <fantasai> scribe+<br> <fantasai> astearns: That issue mentions something I'm concerned about, which is the HTML spec might need a CSS definition in order to say "here's what happens"<br> <fantasai> astearns: with this attribute or UI<br> <fantasai> florian: OK, maybe let's go back to what Tab suggests<br> <fantasai> florian: Resolve, we would like to remove this, would like it to be in HTML<br> <fantasai> astearns: So adding an issue to draft, we'd like to remove pls don't implement?<br> <fantasai> dholbert: My concern is that if we leave it, HTML spec might point at CSS for how to do it, and then JS can set in buggy ways<br> <fantasai> astearns: Note would say we'd like to remove, pls don't implement property, and HTML should define in a way that doesn't depend on CSS<br> <fantasai> florian: Tess is arguing for what we are saying to not do<br> <fantasai> astearns: Which is we should make it an issue and get Tess's input<br> <fantasai> Tim_Nguyen: Issue on our side was that inputs tend to have buttons for e.g. password autocomplete, and would need UI that wouldn't interfere<br> <fantasai> astearns: Sounds like we're not going to resolve any spec edits today, but let's add an issue to the draft saying we'd like to remove this<br> <fantasai> astearns: Proposed resolution is to put our recommendation into an issue in the draft, and come back to it later when we can get more discussion on it<br> <fantasai> astearns: Objections?<br> </details> -- GitHub Notification of comment by css-meeting-bot Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/6788#issuecomment-1016634878 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 19 January 2022 16:22:11 UTC