Closed
Bug 1248614
Opened 8 years ago
Closed 5 years ago
input with autocomplete=off shows history of entered values
Categories
(Toolkit :: Password Manager, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: katienka.mich, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20160210153822 Steps to reproduce: I made a simple web login page -> - input (name:username, type:text, autocomplete:off, autofocus) - input (name:pass, type:password) Actual results: When page is loaded no suggestions appear after clicking the input(name:username) - that´s OK, but when I click somewhere else to loose focus a then back in the input more times... suggestions appear (from all pages with same input(name:username) ) Expected results: No suggestions should appear for user security.
Comment 1•8 years ago
|
||
Not a security issue. I believe that form autocomplete falls into the password manager bugzilla component, but Matt could you confirm?
Group: firefox-core-security
Component: Untriaged → Password Manager
Flags: needinfo?(MattN+bmo)
Product: Firefox → Toolkit
Comment 2•8 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #1) > Not a security issue. I believe that form autocomplete falls into the > password manager bugzilla component, but Matt could you confirm? Form autocomplete is Toolkit::Form Manager (/toolit/components/satchel/) unless the field is for a username, in which case it's password manager. (In reply to Katarína Michaličková from comment #0) Hello Katarína, > When page is loaded no suggestions appear after clicking the > input(name:username) - that´s OK, We never show suggestions upon single click, only double-click, click then typing, or click then down arrow, etc. > but when I click somewhere else to loose focus a then back in the input more > times... suggestions appear (from all pages with same input(name:username) ) So you're saying that form history suggestions appear, not saved logins? > Expected results: > > No suggestions should appear for user security. It's questionable what the security benefit of not remembering a username is. Please attach an HTML test case that demonstrates the problem since I'm not sure if you're describing expected behaviour or not. We intentionally don't honour autocomplete=off anymore on username or passwords fields since it should be up to the user to decide whether to save their login as password managers have been shown to lead to increased security through less password re-use and more complex passwords. In that case, selecting the username should fill the password but it seems like that's not what you're seeing so there may be a bug but I can't say for sure without a test case or more details. See https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
Flags: needinfo?(MattN+bmo) → needinfo?(katienka.mich)
Updated•5 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE
Updated•2 years ago
|
Flags: needinfo?(katienka.mich)
You need to log in
before you can comment on or make changes to this bug.
Description
•