Add a pref to disallow "insertReplacementText" cancellation for autocomplete, autofill and password manager
Categories
(Core :: DOM: Events, enhancement, P3)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox84 | --- | fixed |
People
(Reporter: masayuki, Assigned: masayuki)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
I'm not sure this is the desired outcome as sites will abuse this to prevent the browser from autofilling their password or other form autofill info. We already see sites preventing
pastein password fields (Paypal was one example). I think we should consider making our internal callers not cancelable or at least see how the other browsers handle this.
I agree with this, and IIRC, I chatted about this issue (disabling password manager, etc, with beforeinput event newly) in a spec issue (I don't remember where it is).
Perhaps, we should firstly implement a pref to make such beforeinput event not cancelable. Then, if such web apps break our users' UX, we should consider whether it's enabled by default or not.
|
Assignee | |
Comment 1•4 years ago
|
||
smaug:
If we don't allow web apps to cancel beforeinput only in specific case, which way do you like better?
- Make the
beforeinputevent not cancelable - Stop dispatching
beforeinputevent in that case
Currently, I'm thinking that the former is better because:
beforeinputevent is not always cancelablebeforeinputevent may be used for other purpose than canceling default action (e.g., updating some state of the web app)
But I'd like your thought before writing the patch.
|
||
Comment 2•4 years ago
|
||
What do other browsers do here? Webcompat is rather important aspect.
|
|
Assignee | |
Comment 3•4 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #2)
What do other browsers do here? Webcompat is rather important aspect.
Unfortunately, both Chrome and Safari do no fire beforeinput event for autocomplete/password manager...
I filed Chromium's bug, but not yet of Safari.
https://bugs.chromium.org/p/chromium/issues/detail?id=1051844
|
|
Assignee | |
Comment 4•4 years ago
|
||
I mean they have a bug that they do not fire beforeinput event for their form auto filling, but it's invalid. See "insertReplacementText" value declaration of Input Events.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
Blink and WebKit do not fire beforeinput event when user uses build-in
password manager and autocomplete. But the inputType value for this case,
"insertReplacementText" is defined as cancelable in the spec, and it's
actually cancelable when it's fired for correcting a word with built-in
spellchecker of them.
For making only our users' autocomplete and password manager not blocked by
web apps, we should make them not cancelable by default, but I think that we
should keep dispatching such non-cancelable beforeinput for conforming to
the standard unless we'd get a web-compat report for this.
|
|
Assignee | |
Updated•4 years ago
|
Pushed by masayuki@d-toybox.com: https://hg.mozilla.org/integration/autoland/rev/378c661f45e4 Make `beforeinput` event for `MozEditableElement.setUserInput()` not cancelable by default r=smaug
|
||
Comment 7•4 years ago
|
||
| bugherder | ||
|
||
Updated•3 years ago
|
Description
•