Closed Bug 296398 Opened 19 years ago Closed 17 years ago

Suggestion to solve problem with form autocomplete and sensitive data

Categories

(Toolkit :: Form Manager, enhancement)

Product:
Toolkit
Component:
Form Manager
Platform:
x86
Linux
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252486

People

(Reporter: krasmussen, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

As bug 188285 shows, there is a problem with form autocompletion and sensitive
data, such as credit card information. Bug 257455 suggests that sensitive
information should not be stored on HTTPS sites, which is rejected by Daniel
Veditz with the reason "The suite's version of form saving asks before capturing
info, and obeys autocomplete="off" used by most SSL pages with sensitive data".
Unfortunately, many sites _do not_ use autocomplete="off".

Today there are (fortunately) sites that use HTTPS without necessarily having
sensitive information (such as Bugzilla or Gmail) Therefore, my suggestion is to
 have a checkbox in the privacy->saved form information-preferences that says
"Save information from secure sites (HTTPS)" or something like that. This should
of course, be unchecked by default.

At this time, you might feel that we should take more consideration for websites
that prioritizes standards and the users privacy (like HTTPS-sites with
non-sensitive information), rather than websites who don't follow simple
standards like autocomplete="off". In other matters I might agree with you, but
when we're talking about credit card-info and the likes, I just feel that it's
too important.

I opened a new bug instead of using the old one (and all the dupes), since i
believed that i had a concrete suggestion to solve this.

Reproducible: Always

Steps to Reproduce:
I think a blanket on and off for https sites is a bad thing. Like you say there
are many sites where its fine to have autocomplete.

A better idea would be to have firefox ask if you want to save information the
first time you use a form on a particular site.
#1 Yeah, that's also a possibility. Though the downside is that it in the long
run will become often you have to make that decision, and that one site can have
both sensitive and insensitive information (you want to autocomplete your
shipping adress, but not your credit card-info).

One thing we can agree on, is that a solution must be found, quickly. So I think
we should discuss a bit what we find best, to get it solved.
Severity: major → enhancement
Actually no I disagree. I do not see the need to this. My own machine is my own
machine, noone else uses it with the same user account. If I were to use firefox
on a public machine I would either not be entering my credit card details etc.
or I would disable form completion.

Well, from time to time, friends and family have borrowed my computer for buying
something in a webshop, and i've been quite surprised and also a bit embarrased
when their credit card information has appeared the next time I were to use a
web shop. Then I've been forced to erase the whole form information-database.
Quite annoying when it's a few years old and therefore with a lot of entries
which are _very_ helpful.

Besides, people who aren't as security-aware as you would have no idea that
their credit card information would be stored, and consider it secure to do
payments on a public computer.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.