[css-ui-4] Define the ''input-security'' property. Fixes #2495. #6239
Conversation
| <pre class=anchors> | ||
| urlPrefix: https://html.spec.whatwg.org/multipage/; spec:HTML | ||
| text:password; type:attr-value; for:input/type; url: input.html#attr-input-type-password-keyword | ||
| </pre> |
There was a problem hiding this comment.
I understand that the HTML markup is bad here and you can't reasonably use link-defaults, so this is fine for now. When you do the HTML PR, could you submit a fixup for these dfns as well?
css-ui-4/Overview.bs
Outdated
| so that it cannot be read by the user. | ||
| </dl> | ||
|
|
||
| The exact mechanism by which user agents obscure the text in the control is undefined. |
There was a problem hiding this comment.
Keeping it undefined is correct, but this could use an example showing off the dot-replacement used by current UAs.
There was a problem hiding this comment.
I've provided an example in 3f5738a.
css-ui-4/Overview.bs
Outdated
| Name: input-security | ||
| Value: auto | none | ||
| Initial: ''input-security/auto'' | ||
| Applies to: elements that accept sensitive text input, such as <{input/type/password|<input type=password>}> |
There was a problem hiding this comment.
This makes me vaguely uncomfortable. Is it indeed intended that this only works on password inputs, not on text inputs? If so, we should probably be clearer that this is host-language defined. Probably just say "Applies to: [=sensitive-text inputs=]" and define the term in the text as being host-language defined, and either specifying that in HTML only password inputs are sensitive-text inputs or linking to the spot you'll add in HTML that says the same.
There was a problem hiding this comment.
This makes me vaguely uncomfortable. Is it indeed intended that this only works on password inputs, not on text inputs?
That was the resolution. I'm not super enthused about this either—as I said in the original issue, it's sometimes desirable to obscure the text of other inputs, such as <input type=tel>. But I figure that's a discussion we can have in a followup issue.
If so, we should probably be clearer that this is host-language defined. Probably just say "Applies to: [=sensitive-text inputs=]" and define the term in the text as being host-language defined, and either specifying that in HTML only password inputs are sensitive-text inputs or linking to the spot you'll add in HTML that says the same.
Okay, I'll do something like this.
There was a problem hiding this comment.
I've given this a go in 3f5738a. Please let me know what you think, @tabatkins!
…ide an rendering example of 'input-security: auto;'.
Co-authored-by: Tab Atkins Jr. <jackalmage@gmail.com>
A long time ago we resolved to add an
input-security : auto | noneproperty that only applies to<input type=password>. Here's a PR that does this, though not very well.I'll write a corresponding PR for HTML's Rendering section too.