User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 As bug 188285 shows, there is a problem with form autocompletion and sensitive data, such as credit card information. Bug 257455 suggests that sensitive information should not be stored on HTTPS sites, which is rejected by Daniel Veditz with the reason "The suite's version of form saving asks before capturing info, and obeys autocomplete="off" used by most SSL pages with sensitive data". Unfortunately, many sites _do not_ use autocomplete="off". Today there are (fortunately) sites that use HTTPS without necessarily having sensitive information (such as Bugzilla or Gmail) Therefore, my suggestion is to have a checkbox in the privacy->saved form information-preferences that says "Save information from secure sites (HTTPS)" or something like that. This should of course, be unchecked by default. At this time, you might feel that we should take more consideration for websites that prioritizes standards and the users privacy (like HTTPS-sites with non-sensitive information), rather than websites who don't follow simple standards like autocomplete="off". In other matters I might agree with you, but when we're talking about credit card-info and the likes, I just feel that it's too important. I opened a new bug instead of using the old one (and all the dupes), since i believed that i had a concrete suggestion to solve this. Reproducible: Always Steps to Reproduce:
I think a blanket on and off for https sites is a bad thing. Like you say there are many sites where its fine to have autocomplete. A better idea would be to have firefox ask if you want to save information the first time you use a form on a particular site.
#1 Yeah, that's also a possibility. Though the downside is that it in the long run will become often you have to make that decision, and that one site can have both sensitive and insensitive information (you want to autocomplete your shipping adress, but not your credit card-info). One thing we can agree on, is that a solution must be found, quickly. So I think we should discuss a bit what we find best, to get it solved.
Actually no I disagree. I do not see the need to this. My own machine is my own machine, noone else uses it with the same user account. If I were to use firefox on a public machine I would either not be entering my credit card details etc. or I would disable form completion.
Well, from time to time, friends and family have borrowed my computer for buying something in a webshop, and i've been quite surprised and also a bit embarrased when their credit card information has appeared the next time I were to use a web shop. Then I've been forced to erase the whole form information-database. Quite annoying when it's a few years old and therefore with a lot of entries which are _very_ helpful. Besides, people who aren't as security-aware as you would have no idea that their credit card information would be stored, and consider it secure to do payments on a public computer.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 252486
You need to log in before you can comment on or make changes to this bug.