http://83f.de/information/Example.html register your name. then go away and come again , click who am i
Not a security issue.
Created attachment 769465 [details] Not only username, its possible to read password, too Very easy steps to read out prefilled username and password
"The duplicate" is fixed in year 2008 https://bugzilla.mozilla.org/show_bug.cgi?id=359675 This bug ist new, and is not fixed, so don't mark it as duplicate.
You can already enable the settings added by bug 359675 ("signon.autofillForms") because it is already fixed.
After a few weeks this bug still exists and nobody do something. This bug is now confirmed.
Hi Frank. Looks like it's been a while and I can see the history of disagreement on the discussion here over what the default behavior should be. It does seem like an issue that should be clarified in descriptions of privacy settings. For now, you might want to try using Private Browsing windows when you log in to sensitive sites on computers you don't have control over.
That's how password fields work, this isn't a bug. Of course the web pages can read what you (or the browser) types into it, some pages require this. Even if you disagree on that point, if a web page wanted to trick the user it could just implement something that looks like a <input type=password> but isn't really.
Seems more appropriate to resolve this as a duplicate of bug 653132. I disagree regarding this not being a bug, as it *is* inarguably a privacy leak and we *could* do something about it, e.g. for passwords stored in the password manager, we could allow JS to read back only dummy values until the onsubmit event fired. This would require careful study to make sure it doesn't break sites, even those that do batshit things like copy all the form values from the visible form to an invisible second form (yes, I have seen *that*)... but the password manager already doesn't work on sites that are sufficiently batshit, so I think the compat hit is likely to be acceptable.