search

whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.07k stars 2.65k forks source link

Prevent autofill of hidden fields #3719

Open LJWatson opened 6 years ago

LJWatson commented 6 years ago

When fields with the autocomplete attribute wearing the autofill expectation mantle are hidden off-screen or disguised visually, personal data can still be entered by UA with autofill functionality. This represents a privacy and security risk for users.

A warning that UA should verify that all fields in this state are visible within the viewport before automatically entering data, has been added to W3C HTML (w3c/html#1285 via w3c/html#1372), but it seems that (with implementor interest) this is something that should be more seriously addressed.

annevk commented 6 years ago

cc @whatwg/security

frehner commented 1 year ago

Hello! Considering this was added to the w3c spec in the past, what is the current state of this proposal for WHATWG?

I'm running into an issue where web developers are not sure what to expect from UAs - can they expect UAs to autofill hidden/visually-hidden fields, or should UAs not be doing that?

Or is this an area that is intentionally vague?

annevk commented 1 year ago

It's a UI manner which means it's intentionally somewhat vague at a high level. However, we could probably provide more guidance here. I think ensuring that the end user knows what ends up being shared is important. You could imagine UIs for that work even when the eventual controls are hidden, but they're not necessarily the most ergonomic.

cc @battre @hsinyi

frehner commented 1 year ago

I think ensuring that the end user knows what ends up being shared is important.

Agreed! I think that was the original reasoning for the addition to the W3C spec, and I like the wording that they had there

https://github.com/w3c/html/pull/1372/files

When fields with the <{autocompleteelements/autocomplete}> attribute wearing the autofill expectation mantle are hidden off-screen or visually disguised, personal data may still be entered when using the autofill feature of browsers and password managers. User agents should verify that all fields with the <{autocompleteelements/autocomplete}> attribute wearing the autofill expectation mantle are visible within the viewport before automatically entering data.