New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[css-ui-4] Define the ''input-security'' property. Fixes #2495. #6239
Conversation
<pre class=anchors> | ||
urlPrefix: https://html.spec.whatwg.org/multipage/; spec:HTML | ||
text:password; type:attr-value; for:input/type; url: input.html#attr-input-type-password-keyword | ||
</pre> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I understand that the HTML markup is bad here and you can't reasonably use link-defaults, so this is fine for now. When you do the HTML PR, could you submit a fixup for these dfns as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do!
css-ui-4/Overview.bs
Outdated
so that it cannot be read by the user. | ||
</dl> | ||
|
||
The exact mechanism by which user agents obscure the text in the control is undefined. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keeping it undefined is correct, but this could use an example showing off the dot-replacement used by current UAs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've provided an example in 3f5738a.
css-ui-4/Overview.bs
Outdated
Name: input-security | ||
Value: auto | none | ||
Initial: ''input-security/auto'' | ||
Applies to: elements that accept sensitive text input, such as <{input/type/password|<input type=password>}> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes me vaguely uncomfortable. Is it indeed intended that this only works on password inputs, not on text inputs? If so, we should probably be clearer that this is host-language defined. Probably just say "Applies to: [=sensitive-text inputs=]" and define the term in the text as being host-language defined, and either specifying that in HTML only password inputs are sensitive-text inputs or linking to the spot you'll add in HTML that says the same.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes me vaguely uncomfortable. Is it indeed intended that this only works on password inputs, not on text inputs?
That was the resolution. I'm not super enthused about this either—as I said in the original issue, it's sometimes desirable to obscure the text of other inputs, such as <input type=tel>
. But I figure that's a discussion we can have in a followup issue.
If so, we should probably be clearer that this is host-language defined. Probably just say "Applies to: [=sensitive-text inputs=]" and define the term in the text as being host-language defined, and either specifying that in HTML only password inputs are sensitive-text inputs or linking to the spot you'll add in HTML that says the same.
Okay, I'll do something like this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've given this a go in 3f5738a. Please let me know what you think, @tabatkins!
…ide an rendering example of 'input-security: auto;'.
Co-authored-by: Tab Atkins Jr. <jackalmage@gmail.com>
A long time ago we resolved to add an
input-security : auto | none
property that only applies to<input type=password>
. Here's a PR that does this, though not very well.I'll write a corresponding PR for HTML's Rendering section too.