1727832 - Firefox should not fill credit card details into invisible form fields

Status: NEW

(Toolkit :: Form Autofill, enhancement, P3)

Description

[Tim Giles [:tgiles]]

As part of Bug 1688209, we implemented a simple visibility check for hidden form fields to prevent the component from filling into those hidden form fields and potentially breaking the cc autocomplete process. There are many other ways to hide an input element however, so we should determine which cases we should look out for and which cases are out of scope. The same issues discovered in Bug 1688209 apply here, except we're dealing with credit card information instead of email and passwords.

One of MattN's previous comments is especially relevant here:

We can maybe use Intersection Observer for this. I think we will end up in an arms race and the cost to compute visibility isn't zero so this could have a performance cost. We would need to keep an intersection observer around as long as there are hidden fields so that we can fill them when they become visible. We would also need to have a minimum amount of time for the fields to be visible otherwise attackers would just make them visible for a short time that users won't notice.