Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Password fields should disable autocomplete #3019

Closed
fbender opened this Issue Nov 29, 2011 · 6 comments

Comments

Projects
None yet
4 participants

fbender commented Nov 29, 2011

As HTML5 is now officially supported in Contao, I'd like to see password input fields disabling autocomplete in the backend / DCA by default, and maybe some frontend password input fields (most notably the password reset field in the "personal data" module). You should also be able to set the autocomplete attribute via DCA.

Why?

  • First of all, there is one major issue when letting your browser save your credentials for the backend login (which is not advised but cannot be forbidden): When you e. g. edit members/users, the password field can be pre-filled with the editor's password, triggering an error when you try to save it (due to the empty password check field). This could apply to every "password" field e. g. used in extensions.
  • Plus, we could teach users a lesson on how to handle login credentials (i. e. you shouldn't save them) if we disable autocomplete on the backend login page (not the frontend, though, as this impacts usability).
  • Apart from this, logically, backend form fields shouldn't be pre-filled by the user agent. The data entered here is simply not personal data (except maybe the user's personal data page). So backend forms should use the autocomplete attribute for forms

What about backwards compatibility / XHTML1 mode? No problem! Though autocomplete is only standardized in HTML5, the attribute has been honoured by most user agents for months and years. All other verions of user agents simply ignore the attribute. It won't validate in non-HTML5 but it won't trigger any error.

Related issues: #2835, #2902

--- Originally created on April 19th, 2011, at 03:58pm (ID 3019)

Owner

leofeyer commented Nov 29, 2011

Does autocomplete off mean that you are not able to use the browser's password manager anymore?

--- Originally created on April 27th, 2011, at 01:53pm

@ghost ghost assigned leofeyer Nov 29, 2011

Member

aschempp commented Nov 29, 2011

I dont think it is related to the password manager. I tells the browser not to store values you previously entered into that field. Highly important on credit card fields, I suppose password fields are disabled from autocompletition automatically.

--- Originally created on April 27th, 2011, at 02:04pm

fbender commented Nov 29, 2011

It should mean that the user agent won't fill out any input element or form by itself where autocomplete is off. I guess it will disable the password manager if used in a login form (don't know what happens if only used with the password field – might disable auto-write of the password but not user name).

IMO, it should be added to all backend password and other sensitive input fields (to prevent the user agent from accidently entering the backend user's password in another user's password field – see #2835).

It could be added to the backend login form, to prevent people from storing sensitive login data in a browser. It should not be added to any frontend login form.

It could also be added to all backend forms but this could prevent the (very helpful) "previously entered data dropdowns" to disappear. Haven't tested that one yet.

--- Originally created on May 7th, 2011, at 03:28pm

Owner

leofeyer commented Nov 29, 2011

Implemented in b895a58.

--- Originally created on May 30th, 2011, at 03:36pm

Owner

leofeyer commented Nov 29, 2011

--- Originally completed on May 30th, 2011, at 03:36pm

@leofeyer leofeyer closed this Nov 29, 2011

Maybe it's a really good idea to deactivate the autocomplete function of all fields in the configuration and all other backend forms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment