Open dholbert opened 4 years ago
I ran into this in the wild, BTW, at https://www.jameshardie.com/forms/dream-collection-request-for-sample which is an order form that's split across a two-page submission process.
On the first page, this site has you enter your contact info, including your email address. On the second page (for Billing Info), that information is displayed again, with the email address shown in an <input type="email" disabled>
field (which is presumably meant to be read-only). And there's a Firefox Relay button nearby, which would presumably clobber the contents of that field (as it does in my jsfiddle testcase) & would perhaps confuse the site and mess up your hypothetical order.
STR:
View this testcase (with FX Private Relay add-on installed in your browser profile): https://jsfiddle.net/dholbert/L8n9tued/
Click the FX Private Relay button at the right end of the email field.
(NOTE: The email field is marked as
disabled
, and has the value "foo@example.org" already entered.)ACTUAL RESULTS:
EXPECTED RESULTS: The FX Private Relay button probably shouldn't appear in the first place here. We shouldn't be messing with the contents of disabled form fields; this could lead to unexpected behavior.
(Best-case, the website might not bother reading the contents of this field because they're not expecting it to change, so maybe this will end up wasting one of my limited relay addresses for no good reason. Worst-case, this might lead to some sort of error on the website where records get mixed up because a form submission is associated with an unfamiliar email address because the site wasn't expecting this field to be mutable.)