ViewState: autocomplete="off" issue

jakartaee / faces

Jakarta Faces

Other

100 stars 55 forks source link

ViewState: autocomplete="off" issue #1912

Closed melloware closed 3 months ago

melloware commented 4 months ago

the NuHTML checker reports this:

Their reason: https://github.com/validator/validator/issues/1153

It looks like the https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill autofill spec says input type hidden are NOT allowed to have the value of on or off but must be a detail and the one that makes the most sense is one-time-code ?

https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#attr-fe-autocomplete-one-time-code

Thoughts?

BalusC commented 4 months ago

AFAICS that's not part of Faces spec but just part of work around on misbehavior of some old Firefox version. Unsure if that's still happening with current versions. Try disabling autocomplete field (Mojarra has a specific context param for this, unsure about MyFaces) and testing behavior in current browsers. See also https://stackoverflow.com/q/18460909 If it's not anymore happening in new browsers, we could remove it or inverse the default config.

melloware commented 3 months ago

MyFaces has it as well as o.a.m.AUTOCOMPLETE_OFF_VIEW_STATE.

Maybe we could inverse the default config?

BalusC commented 3 months ago

Just checked, it's indeed not part of Faces spec, so issue belongs in Mojarra project.

Also tested with latest Firefox (124.0.2) and original problem as described in https://github.com/eclipse-ee4j/mojarra/issues/1133 is not reproducible. But I don't know in which FF version it was fixed. According to https://bugzilla.mozilla.org/show_bug.cgi?id=520561 someone reproduced it ~2y ago. I think this is too short.

Let's make it one-time-code for now. In Mojarra 4.1 we could inverse the default config to emit the autocomplete attribute (once more, it's not part of Faces spec so there's no harm implementing this change in Mojarra 4.1 even when Faces 4.1 spec is basically already set in stone).

BalusC commented 3 months ago

Scratch that .. it appears that older FF versions don't support one-time-code .. https://bugzilla.mozilla.org/show_bug.cgi?id=1547294

BalusC commented 3 months ago

Continue in https://github.com/eclipse-ee4j/mojarra/issues/5434

melloware commented 3 months ago

Created MyFaces ticket: https://issues.apache.org/jira/browse/MYFACES-4659