Closed hober closed 3 years ago
I just want to note that Edge allows the text of input type=password to be user-readable on user request, and that solves the use case for which websites convert their input type=password into type=text without introducing a new property.
I'd rather standardize this behavior than standardize the text-security property, to be quite honest. I'm always really surprised when I notice other browsers still don't have a button to show the value of a password textbox on user request.
The button is only available if you are typing the password. Autofilled values and javascript-filled passwords are not accessible through that button (but of course are via the DevTools)
It seems to me that adding a new value to text-transform
would make more sense than adding a new property.
What if text-transform
accepted a string, which covers more bases than the styles -webkit-text-security
offers? Though less specific to security, it could be useful for "spoiler" visuals?
text-transform: '\0020\00B7\0020';
@jonjohnjohnson Not saying this is the right answer for this particular issue, but if we're talking about allowing authors to define arbitrary text-transforms, I have this proposal: https://specs.rivoal.net/css-custom-tt/
@fantasai sure, adding a value to text-transform
seems reasonable to me. While -webkit-text-security
takes several values (offhand there's disc
, square
, and circle
), I think we only need one, which means "please obscure the text in the manner of a native password field" or the like.
The Working Group just discussed obscuring text for `<input type=password>` styling
, and agreed to the following resolutions:
RESOLVED: input-security: auto|none in UI 4 and applies to input type=password only
An increasing number of sites have switched their login forms from using
<input type=password>
to<input type=text>
for password input, in order to provide the ability to toggle display of the password text. This has the unfortunate side effect of preventing client-side password/account managers from correctly filling the form. We should spec the ability to toggle display of the contents of<input type=password>
to help sites avoid breaking such account managers.WebKit implements
<input type=password>
styling with a-webkit-text-security
property, for which there are several polyfills out there for other browsers (e.g. noppa/text-security), so perhaps it's the right cowpath to pave here.It's worth noting that it's sometimes desirable to obscure the text of other inputs—
<input type=tel>
, for instance.