Closed Bug 83923 Opened 24 years ago Closed 24 years ago

need a HTML tag that forces N6 to not allow auto password storage and form filling

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 63961

People

(Reporter: Bill.Burns, Assigned: security-bugs)

Details

Attachments

(1 file)

screenshot
65.94 KB, image/jpeg
Details
From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9+) Gecko/20010530 Netscape6/6.5b0 BuildID: 2001053004 There are some secure sites that do not want users to have their passwords (and other form elements) pre-filled in for them by the browser. For example, I don't people to have their LDAP username, password, and SSN cached anyplace or saved by the browser. IN reality, many security-conscious people probably don't want that either. Ideally, this would be similar to the "no-cache" tags. Or perhaps a "no-cache" HTML tag would also be interpreted by Mozilla/N6 as "also do not cache form elements" or "also don't cache form elements that are input type 'password'. Reproducible: Always Steps to Reproduce: 1.go to a form like the internal certificate server 2. note that when you fill out the form N6/Mozilla it asks you if you want to save the form elements 3.Be afraid 4. Be very afraid. :)
Good idea. I think jar mentioned something similar recently. Morse, can you do this?
Sure can. How would you like an AUTOCOMPLETE="OFF" attribute on the input tag and/or form tag? See bug 63961 for more details.
Maybe I'm just being too anal here, but is there a way we can do this without adding any proprietary stuff to our HTML implementation? I worry because documents using strict doctypes would not be able to use such an extension and still validate. Perhaps we could use a properly-marked proprietary CSS property like <input type="password" style="-moz-autocomplete:never;" /> ?? Thoughts ??
What proprietary stuff have we added? Ifyou are referring to the autocomplete=off attribute, that's already recognized by IE.
Sorry, I really meant "non-standard" instead of "proprietary". Yes, it may be recognized by IE, but so are <marquee> and document.all -- that doesn't mean we have license to implement them as well. The main reason I take issue is that it becomes impossible for a document to implement this control and still validate as strictly conforming to a w3c doctype. Which I think we should be encouraging people to do, don't you? CSS is more flexible in allowing for forwards-compatibility and proprietary extensions, so that's why I suggested it as an alternative. Also, consider this benefit: such a CSS property could be used to support IE's autocomplete="off" attribute, by adding something like this to forms.css: input[autocomplete=off] {-moz-autocomplete:never !important;}
> How would you like an AUTOCOMPLETE="OFF" attribute on the input tag > and/or form tag? See bug 63961 for more details. I guess I was being a bit facetious and, as a result, my response was unclear. What I was trying to say, but didn't do so explicitly, is that we have already implemented this feature. So the problem being presented in this bug report is not a problem any longer.
There's a work around for this problem, so can this bug be closed?
Attached image screenshot
wtf, can we now please add that CC (see screenshot)
closing bug. The writeup in Bbug 63961 sounds like it will address our concern. *** This bug has been marked as a duplicate of 63961 ***
Status: UNCONFIRMED → RESOLVED
Closed: 24 years ago
Resolution: --- → DUPLICATE
Marking VERIFIED DUPLICATE.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: