Re: Rationale for filling in passwords only on a tab keystroke

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: Rationale for filling in passwords only on a tab keystroke

Matthew N.
On 9/26/14 3:04 PM, Daniel Glus wrote:
> Hi,
>
> I was just wondering what the rationale is for making Firefox only fill in
> users' passwords when the user has tabbed past the username (or email
> address, or whatever) field into the password field. Does it have anything
> to do with security?

We now do this when the page requests @autocomplete=off instead of not
allowing suggestions at all like we did in the past. This is useful for
forms where it's unlikely that the user will want to fill in their own
username and password into a form e.g. if you are an administrator
editing the account information for another user. Some websites use it
for added security to avoid automated extraction like Tanvi pointed out.

If you have one saved signon for a domain and it doesn't have
@autocomplete=off (on the form, username field, or password) then you
shouldn't see this behaviour.

MattN
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security