Closed Bug 505954 Opened 16 years ago Closed 16 years ago

Autocomplete is unsecure, when saves input content on https secure pages!!!

Categories

(Toolkit :: Form Manager, defect)

Product:
Toolkit
Component:
Form Manager
Version:
1.9.0 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 252486

People

(Reporter: webmaster33, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; hu; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; hu; rv:1.9.0.11) Gecko/2009060215 Firefox/3.0.11 (.NET CLR 3.5.30729) Imagine, that you buy something, and you type your credit card information on a https (secure, encrypted) page. This info is saved into the Autocomplete system, so somebody who can get access to this computer, can open down the credit card informations. This is UNSECURE! Solution: Should be possible to disable the autocomplete on HTTPS pages. Sincerely, this should be disabled by default. Reproducible: Always Steps to Reproduce: 1. Go to a Secure HTTPS page 2. Enter some data, and Submit 3. Go again to the secure page, and you can open down your credit card data. Actual Results: Result: Firefox is unsecure. Expected Results: Should be not possible to access autocomplete data on HTTPS pages!
Version: unspecified → 3.0 Branch
Component: Security → Autocomplete
Product: Firefox → Toolkit
QA Contact: firefox → autocomplete
Version: 3.0 Branch → 1.9.0 Branch
This is by design, no need for the bug to remain private to discuss a policy issue.
Group: core-security
For sites that are concerned about sensitive fields most browsers (including Mozilla browsers) support the autocomplete=off attribute.
Whiteboard: DUPEME
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Component: Autocomplete → Form Manager
OS: Windows Vista → All
QA Contact: autocomplete → form.manager
Hardware: x86 → All
Resolution: --- → DUPLICATE
Whiteboard: DUPEME
You need to log in before you can comment on or make changes to this bug.