New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make password inputs not give away how many characters were typed #12659
Conversation
This aligns with classic Jupyter Notebook behavior, and is generally a good security idea. Also, this decouples the implementation of the HTML input widget and the notion of the input being a password input by storing the password field as a private attribute of the stdin control, rather than relying on how the input was created.
Thanks for making a pull request to jupyterlab! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jasongrout
CI failure is due to flaky test and is unrelated.
Benchmark reportThe execution time (in milliseconds) are grouped by test file, test type and browser. The mean relative comparison is computed with 95% confidence. Results table
Changes are computed with expected as reference. |
@meeseeksdev please backport to 3.4.x |
…many characters were typed
…cters were typed (#12668) Co-authored-by: Jason Grout <jasongrout@users.noreply.github.com>
…pyterlab#12659) This aligns with classic Jupyter Notebook behavior, and is generally a good security idea. Also, this decouples the implementation of the HTML input widget and the notion of the input being a password input by storing the password field as a private attribute of the stdin control, rather than relying on how the input was created.
References
Adjusts the original password input implementation from #517 to not give away how many characters were typed.
Code changes
Make password inputs not give away how many characters were typed
This aligns with classic Jupyter Notebook behavior (always show 8 dots), and is generally a good security idea.
Also, this decouples the implementation of the HTML input widget and the notion of the input being a password input by storing the password field as a private attribute of the stdin control, rather than relying on how the input was created.
User-facing changes
Always show 8 dots as the value of the password input
Backwards-incompatible changes