- From: Dan Poltawski <dan@moodle.com>
- Date: Thu, 2 Oct 2014 02:12:29 +0100
- To: Peter Kasting <pkasting@google.com>
- Cc: Dan Poltawski <dan@moodle.com>, Gavin Sharp <gavin@gavinsharp.com>, WHATWG <whatwg@lists.whatwg.org>
On 2 October 2014 01:24, Peter Kasting <pkasting@google.com> wrote: > OK, but how does that cycle get started? I could be wrong, but I believe in > Chrome that we won't autofill your password from site X into a password > field on unrelated site Y. You have to have explicitly used that password > on site Y to fill it in the future. So if people are getting sensitive > data, that was never supposed to be in these fields to begin with, filled > into the fields, how is that happening? Are browsers being aggressive about > attempting to fill data from one site into another? Does this happen across > browsers? The most basic case of autocompleting on the same site is the one which is most problematic for us. A traditional username/password to login to the site with autocomplete enabled and functioning as expected - but then after the user has logged in, they do something on a page with one of these (i'll now call) masked fields, and without them noticing - that field is autocompleted with their login password. Previously we could prevent that behaviour by disabling autocomplete on these fields. Note a more traditional example of this which might affect more sites is something like a 'create new user' form where the password would be erroneously set to the password of the user who is creating the accounts. We've had this problem reported to us about at least Chrome, Firefox and Safari. cheers, Dan
Received on Thursday, 2 October 2014 01:13:15 UTC