W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 2 Oct 2014 08:48:58 +0200
Message-ID: <CADnb78jnwfXx8GpPJAUcLp5hapKgrqq5NCQWjy9jdVhdaR+W2g@mail.gmail.com>
To: Dan Poltawski <dan@moodle.com>
Cc: WHATWG <whatwg@lists.whatwg.org>, Gavin Sharp <gavin@gavinsharp.com>, Peter Kasting <pkasting@google.com>
On Thu, Oct 2, 2014 at 3:12 AM, Dan Poltawski <dan@moodle.com> wrote:
> The most basic case of autocompleting on the same site is the one
> which is most problematic for us.
> A traditional username/password to login to the site with autocomplete
> enabled and functioning as expected - but then after the user has
> logged in, they do something on a page with one of these (i'll now
> call) masked fields, and without them noticing - that field is
> autocompleted with their login password. Previously we could prevent
> that behaviour by disabling autocomplete on these fields.
> Note a more traditional example of this which might affect more sites
> is something like a 'create new user' form where the password would be
> erroneously set to the password of the user who is creating the
> accounts.

https://html.spec.whatwg.org/multipage/forms.html#autofill has some
ways of managing autofill. I'm not sure how much of it is implemented.
>From that it seems you could use autocomplete=new-password, although
if that works as advertized it would have the problem Daniel Cheng
mentioned, so perhaps it's only used as heuristic.

Received on Thursday, 2 October 2014 06:49:24 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC