RE: Security of Autocomplete - Good News! from James Nurthen on 2018-02-27 (w3c-wai-gl@w3.org from January to March 2018)

From: James Nurthen <james.nurthen@oracle.com>
Date: Tue, 27 Feb 2018 14:32:01 -0800 (PST)
To: John Foliot <john.foliot@deque.com>, WCAG <w3c-wai-gl@w3.org>
Cc: stommepoes@stommepoes.nl
Message-ID: <c94a9863-0116-4cd5-9399-739dfa90f7ce@default>

John,

The issue cited was hiding the fields using the following

      <p style="margin-left:-500px">

        <input id="phone" name="phone" type="text" placeholder="Your Phone">

      </p>

 

Before responding please repeat your test using off-screen techniques to hide the fields.

 

Regards,

James

 

From: John Foliot [mailto:john.foliot@deque.com] 
Sent: Tuesday, February 27, 2018 1:40 PM
To: WCAG <w3c-wai-gl@w3.org>
Cc: stommepoes@stommepoes.nl
Subject: Security of Autocomplete - Good News!

 

Greetings all,

 

On today's call, I took the action to respond to HYPERLINK "https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_w3c_wcag21_issues_775&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=CIHu8rc_0wRTTC_7DvWtiGNKjpA-3oTgbu_6ve6hP0I&m=KkDSaYcqHGmRC2JTiCM9wi-GL7ucqU9_tJdP18QSAt4&s=qOMpGTAX3xpK-6eEBdOe0DOm6taaNyqqXjVQJbtiuks&e="Issue #775. Before responding, I needed / wanted to do some basic testing myself. 

 

I have created two forms that both include all 53 of the current @autocomplete tokens. The first form (HYPERLINK "https://urldefense.proofpoint.com/v2/url?u=https-3A__john.foliot.ca_demos_autofill.php&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=CIHu8rc_0wRTTC_7DvWtiGNKjpA-3oTgbu_6ve6hP0I&m=KkDSaYcqHGmRC2JTiCM9wi-GL7ucqU9_tJdP18QSAt4&s=bt7lHc7aD9swLTUkzH2RlNKPbj0wkvtTSp8_3JOXIqY&e="https://john.foliot.ca/demos/autofill.php) uses input type="text" for all 53 inputs, and submitting the form echo's back the data being captured in the form fields. (Go ahead, give it a whirl.)

 

I have also created a second form, but this time I changed the bulk of the inputs to type="hidden" (I left the name-related fields as type="text", as most browsers and helper apps need at least "Name" to trigger the autocomplete functionality). The second form can be found at:   HYPERLINK "https://urldefense.proofpoint.com/v2/url?u=https-3A__john.foliot.ca_demos_autofill-5Fhidden.php&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=CIHu8rc_0wRTTC_7DvWtiGNKjpA-3oTgbu_6ve6hP0I&m=KkDSaYcqHGmRC2JTiCM9wi-GL7ucqU9_tJdP18QSAt4&s=WNhgOBCLftJCQi44CAE009T1SSQXYrMDlDiq5qi2i7E&e="https://john.foliot.ca/demos/autofill_hidden.php 

 

My basic testing confirms that when a field input is marked as "hidden", the autocomplete functionality is removed or otherwise disabled by the browsers to preserve user security. I have not done any further (advanced) testing, and so I cannot rule out the possibility of rogue sites using HYPERLINK "https://urldefense.proofpoint.com/v2/url?u=https-3A__freedom-2Dto-2Dtinker.com_2017_11_15_no-2Dboundaries-2Dexfiltration-2Dof-2Dpersonal-2Ddata-2Dby-2Dsession-2Dreplay-2Dscripts_&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=CIHu8rc_0wRTTC_7DvWtiGNKjpA-3oTgbu_6ve6hP0I&m=KkDSaYcqHGmRC2JTiCM9wi-GL7ucqU9_tJdP18QSAt4&s=jHMQ58ZLpj-jaZ_EROCyh0mHtjpEVYwzMmLgS6phzSk&e="other scripted methods to try and attempt to override this security feature. We likely need to add a comment in the Understanding document noting this fact (maybe?).

 

I am in need of testing assistance for the OSX platform, as well as iOS. If you care to help, please ping me off-line.

 

Based upon these test results, I will craft a response for Issue 775 later today.

 

JF

-- 

John Foliot

Principal Accessibility Strategist

Deque Systems Inc.

HYPERLINK "mailto:john.foliot@deque.com"john.foliot@deque.com

 

Advancing the mission of digital accessibility and inclusion

Received on Tuesday, 27 February 2018 22:32:38 UTC