Closed Bug 1118540 Opened 6 years ago Closed 5 years ago
We should propose a spec update instead of violating the spec in silence.
Note that when someone is not logged in to a particular site (on which they do have an account), revealing their *user name* to the site is already a privacy violation. See for instance http://www.pamgriffith.net/blog/privacy-and-autocompleted-usernames
I'm pretty sure this is a dupe of some existing bug... I don't think we should do this. It's likely to cause problems with sites that need to look at the password field for legitimate reasons, and if a site has been exploited you'd still need to guard against things like keypress listeners.
I agree, :dolske.
I've marked the two bugs that discuss this as dependents on this one. Wanted to create this one to talk about the problem in general and what solutions are possible without breaking the web. Perhaps this should be a "breakdown" bug. Going back to comment 0, is #1 would be a good way of dealing with this if it is feasible to implement (and it's also being discussed here - https://bugzilla.mozilla.org/show_bug.cgi?id=1118511#c11). #2 isn't possible in the web we live in today. Maybe it will be one day. In the meantime, we could implement #2 for websites that opt into this type of protection via the Credential Management API.
This bug as summarized has to be WONTFIX--there are many login pages that depend on the current behavior. Something like bug 653132 might work but we already have that bug and can discuss it there. Not autofilling passwords willy-nilly would also help, but afaik we've wontfixed those bugs (or relegated them to a buried about:config pref, e.g. bug 359675)
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.