Re: [whatwg] Password managers ignoring autocomplete='off' harming security from Peter Kasting on 2014-10-02 (public-whatwg-archive@w3.org from October 2014)

From: Peter Kasting <pkasting@google.com>
Date: Wed, 1 Oct 2014 17:24:51 -0700
To: Gavin Sharp <gavin@gavinsharp.com>
Cc: Dan Poltawski <dan@moodle.com>, WHATWG <whatwg@lists.whatwg.org>
Message-ID: <CAAHOzFA4cVS=p7jKXx_WHiwKNPxw3CbrEsaDK2SfOXx+gVCepw@mail.gmail.com>

On Wed, Oct 1, 2014 at 4:34 PM, Gavin Sharp <gavin@gavinsharp.com> wrote:

> That browsers now automatically go fill in sensitive data (passwords)
> into these password fields is the issue, because people might not
> notice that happening and then submit the form.

OK, but how does that cycle get started?  I could be wrong, but I believe
in Chrome that we won't autofill your password from site X into a password
field on unrelated site Y.  You have to have explicitly used that password
on site Y to fill it in the future.  So if people are getting sensitive
data, that was never supposed to be in these fields to begin with, filled
into the fields, how is that happening?  Are browsers being aggressive
about attempting to fill data from one site into another?  Does this happen
across browsers?

PK

Received on Thursday, 2 October 2014 00:25:21 UTC