Closed Bug 373153 Opened 18 years ago Closed 18 years ago

PM Should Ignore Invisible Forms

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: shinyairplane, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

From Bug #360493, there were many comments about if and how invisible forms could be ignored when performing automatic tasks such as filling in passwords from the PM.  (see Jesse's several visible-username-invisible-password examples)

Reproducible: Always
Blocks: 373140
There are endless ways for a malicious web page to hide or obscure parts of itself. This is a very similar concept to the issue raised in bug 258875, dealing with <input type="file">.

Hidden form inputs are very commonly used, although at first glance hidden password fields would seem unusual.. After all, the only difference from a regular  <input> is the visual appearance of the value. But it's not hard to think of couple cases where this might be desired:

* As a mechanism to help prevent phishing (hide the form, and make the user use a password manager with a difficult-to-remember password)
* A page with forms hidden by default (ie, at pageload), which a script unhides based on some criteria (say, show a login form or a change password form in a DHTML control panel).

So, given some plausible use cases and a lack of an attack scenario which requires it (and is not easily done in some other way), this is WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Bah. I forgot to mention...

HTML4.01 actually includes an example of this, so it's not completely bizarre. 

http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.13.2

[Confusingly, it both says this "may" work and "will" work. I suspect "may" is the  desired requirement, although it's moot for this bug now.]
That example has a prefilled password, which does not exactly lend itself to your position about the Password Manager ;)
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.