Closed
Bug 83923
Opened 24 years ago
Closed 24 years ago
need a HTML tag that forces N6 to not allow auto password storage and form filling
Categories
(Core :: Security, defect)
Tracking
()
People
(Reporter: Bill.Burns, Assigned: security-bugs)
Details
Attachments
(1 file)
|
65.94 KB,
image/jpeg
|
Details |
screenshot
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9+) Gecko/20010530 Netscape6/6.5b0 BuildID: 2001053004 There are some secure sites that do not want users to have their passwords (and other form elements) pre-filled in for them by the browser. For example, I don't people to have their LDAP username, password, and SSN cached anyplace or saved by the browser. IN reality, many security-conscious people probably don't want that either. Ideally, this would be similar to the "no-cache" tags. Or perhaps a "no-cache" HTML tag would also be interpreted by Mozilla/N6 as "also do not cache form elements" or "also don't cache form elements that are input type 'password'. Reproducible: Always Steps to Reproduce: 1.go to a form like the internal certificate server 2. note that when you fill out the form N6/Mozilla it asks you if you want to save the form elements 3.Be afraid 4. Be very afraid. :)
|
Assignee | |
Comment 1•24 years ago
|
||
Good idea. I think jar mentioned something similar recently. Morse, can you do this?
|
||
Comment 2•24 years ago
|
||
Sure can. How would you like an AUTOCOMPLETE="OFF" attribute on the input tag and/or form tag? See bug 63961 for more details.
|
||
Comment 3•24 years ago
|
||
Maybe I'm just being too anal here, but is there a way we can do this without adding any proprietary stuff to our HTML implementation? I worry because documents using strict doctypes would not be able to use such an extension and still validate. Perhaps we could use a properly-marked proprietary CSS property like <input type="password" style="-moz-autocomplete:never;" /> ?? Thoughts ??
|
|
||
Comment 4•24 years ago
|
||
What proprietary stuff have we added? Ifyou are referring to the autocomplete=off attribute, that's already recognized by IE.
|
|
||
Comment 5•24 years ago
|
||
Sorry, I really meant "non-standard" instead of "proprietary".
Yes, it may be recognized by IE, but so are <marquee> and document.all -- that
doesn't mean we have license to implement them as well. The main reason I take
issue is that it becomes impossible for a document to implement this control and
still validate as strictly conforming to a w3c doctype. Which I think we should
be encouraging people to do, don't you?
CSS is more flexible in allowing for forwards-compatibility and proprietary
extensions, so that's why I suggested it as an alternative.
Also, consider this benefit: such a CSS property could be used to support IE's
autocomplete="off" attribute, by adding something like this to forms.css:
input[autocomplete=off] {-moz-autocomplete:never !important;}|
|
||
Comment 6•24 years ago
|
||
> How would you like an AUTOCOMPLETE="OFF" attribute on the input tag
> and/or form tag? See bug 63961 for more details.
I guess I was being a bit facetious and, as a result, my response was unclear.
What I was trying to say, but didn't do so explicitly, is that we have already
implemented this feature. So the problem being presented in this bug report is
not a problem any longer.
|
Reporter | |
Comment 10•24 years ago
|
||
closing bug. The writeup in Bbug 63961 sounds like it will address our concern. *** This bug has been marked as a duplicate of 63961 ***
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•