[buddypress-trac] [BuddyPress Trac] #6269: Add autocomplete="off" to bp-login widget password field
buddypress-trac
noreply at wordpress.org
Sun Mar 1 16:13:15 UTC 2015
#6269: Add autocomplete="off" to bp-login widget password field
-----------------------------+------------------------------
Reporter: Prometheus Fire | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: API | Version:
Severity: normal | Resolution:
Keywords: |
-----------------------------+------------------------------
Comment (by boonebgorges):
It's my understanding that browsers are dropping support for
'autocomplete=off' on password fields. See eg
http://stackoverflow.com/questions/3868299/is-autocomplete-off-compatible-
with-all-modern-browsers/21348793#21348793 and
http://security.stackexchange.com/questions/49326/should-websites-be-
allowed-to-disable-autocomplete-on-forms-or-fields. I believe that the
only practical effect of setting autocomplete=off on password fields is to
disable password managers. But, according to those links, modern password
managers and browsers ignore that setting anyway. So I'm wondering if
maybe the IBM Security AppScan ruleset is in the wrong in this case.
On the other hand, wp-login.php does use autocomplete=off for the password
field (and the entire form, in fact). See
https://core.trac.wordpress.org/changeset/15710 and
https://core.trac.wordpress.org/ticket/24364
Do others have thoughts about best practices here?
--
Ticket URL: <https://buddypress.trac.wordpress.org/ticket/6269#comment:1>
BuddyPress Trac <http://buddypress.org/>
BuddyPress Trac
More information about the buddypress-trac
mailing list