Closed Bug 1449206 Opened 7 years ago Closed 7 years ago

Autocomplete of username / password fields should be disabled on hidden fields

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1247245

People

(Reporter: delacour.tom, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180206200532 Steps to reproduce: 1. Save username / password to browser password manager for a given app. 2. Access a page on that app that includes a credentials form that is hidden by default (accessible via toggle or similar). 3. Submit form. 4. Observe credentials being accepted by the app server without user consent. The username input has attribute "autocomplete=off" and the password input has attribute "autocomplete=new-password". I understand that browsers are moving away from supporting at least the former. Actual results: It seems the username / password are auto-completed in this hidden form. These credentials are then sneakily being sent to the app server, even though the user has not consented to this because they never opted to even un-hide the credentials form. Expected results: Credentials should not be auto-completed in hidden forms.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.