Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SDK-1191] Lock social buttons now render as links instead of buttons #1760

Merged
merged 2 commits into from Dec 4, 2019

Conversation

@stevehobbsdev
Copy link
Contributor

@stevehobbsdev stevehobbsdev commented Nov 29, 2019

Changes

Lock social buttons now render as links instead of buttons. This is to fix an issue with LastPass not attaching its buttons to the input boxes on load.

I believe this is a security issue with LastPass (see security considerations on this doc). It won't initialize the extension on the form fields until some user interaction has happened, because there are button tags within the form (the social buttons). If a site hosting Lock was vulnerable to XSS attacks, they could potentially post login information to a malicious location if LastPass did actually pre-fill those form fields on page load.

Changing these buttons to links (without affecting the styles, other than providing an affordance that was normally provided by the browser) solves the issue.

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language

Checklist

@stevehobbsdev stevehobbsdev force-pushed the fix/lastpass branch from ca2d2a4 to 44145aa Nov 29, 2019
@stevehobbsdev stevehobbsdev changed the title Lock social buttons now render as links instead of buttons [SDK-1191] Lock social buttons now render as links instead of buttons Nov 29, 2019
@stevehobbsdev stevehobbsdev marked this pull request as ready for review Dec 3, 2019
@stevehobbsdev stevehobbsdev requested a review from auth0/dx-sdks-approver as a code owner Dec 3, 2019
@stevehobbsdev stevehobbsdev added this to the vNext milestone Dec 3, 2019
@stevehobbsdev stevehobbsdev merged commit 91f07d9 into master Dec 4, 2019
3 checks passed
3 checks passed
ci/circleci: build-and-test Your tests passed on CircleCI!
Details
license/snyk - package.json (auth0-sdks) No manifest changes detected
security/snyk - package.json (auth0-sdks) No manifest changes detected
@stevehobbsdev stevehobbsdev deleted the fix/lastpass branch Dec 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants