Closed
Bug 373153
Opened 18 years ago
Closed 18 years ago
PM Should Ignore Invisible Forms
Categories
(Toolkit :: Password Manager, defect)
Toolkit
Password Manager
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: shinyairplane, Unassigned)
References
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 From Bug #360493, there were many comments about if and how invisible forms could be ignored when performing automatic tasks such as filling in passwords from the PM. (see Jesse's several visible-username-invisible-password examples) Reproducible: Always
Comment 1•18 years ago
|
||
There are endless ways for a malicious web page to hide or obscure parts of itself. This is a very similar concept to the issue raised in bug 258875, dealing with <input type="file">. Hidden form inputs are very commonly used, although at first glance hidden password fields would seem unusual.. After all, the only difference from a regular <input> is the visual appearance of the value. But it's not hard to think of couple cases where this might be desired: * As a mechanism to help prevent phishing (hide the form, and make the user use a password manager with a difficult-to-remember password) * A page with forms hidden by default (ie, at pageload), which a script unhides based on some criteria (say, show a login form or a change password form in a DHTML control panel). So, given some plausible use cases and a lack of an attack scenario which requires it (and is not easily done in some other way), this is WONTFIX.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WONTFIX
Comment 2•18 years ago
|
||
Bah. I forgot to mention... HTML4.01 actually includes an example of this, so it's not completely bizarre. http://www.w3.org/TR/1999/REC-html401-19991224/interact/forms.html#h-17.13.2 [Confusingly, it both says this "may" work and "will" work. I suspect "may" is the desired requirement, although it's moot for this bug now.]
Reporter | ||
Comment 3•18 years ago
|
||
That example has a prefilled password, which does not exactly lend itself to your position about the Password Manager ;)
Assignee | ||
Updated•16 years ago
|
Product: Firefox → Toolkit
You need to log in
before you can comment on or make changes to this bug.
Description
•