Re: Security of Autocomplete - Good News!

John wrote:

> RE: Horizontal Security Review: I think that the time is *now* (as other specs come to APA for their accessibility horizontal review at around this same time - i.e. CR or sooner).

Maybe it has been submitted already, but noted, I’ll ask about that.

> I am stunned that the browsers have not addressed this *STILL*.

I’m a bit surprised given the mainstream press on it, and it does put this SC in a difficult position.

I would be interested to know from Charles or Léonie:

  *   Is there active work on the issue of phishing user-data via autocomplete? [1]

  *   Where would a suitable place for that discussion to happen?

It occurs to me a good solution to prevent the phishing would be to add visible (foreground) symbols next to fields which can be autocompleted, a bit like Lastpass adds an icon inside of username/password inputs. The browser could ensure the symbols are shown even if the inputs were hidden.  If those symbols were user-configurable, that would also help with the personalisation aspects as well (or at least be compatible).



1] the trigger for this discussion was a comment about this article:

If you fill in an autocomplete field (e.g. name), the site can have visually hidden fields with email, password, credit card number etc. It can grab that data without the user realising because it is auto-populated.

Received on Wednesday, 28 February 2018 17:34:10 UTC