[wp-trac] [WordPress Trac] #41636: Disable LastPass save prompt in Customizer's password fields
WordPress Trac
noreply at wordpress.org
Tue Nov 21 18:15:54 UTC 2017
#41636: Disable LastPass save prompt in Customizer's password fields
--------------------------+------------------------------
Reporter: cliffpaulick | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: 4.9
Severity: normal | Resolution:
Keywords: | Focuses: ui
--------------------------+------------------------------
Comment (by cliffpaulick):
@westonruter
Per https://developer.mozilla.org/en-
US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
'''autocomplete="off"''' only works on forms, not fields, so I tried
changing the '''<form>''' line in '''/wp-admin/customize.php''' to
{{{
<form id="customize-controls" class="wrap wp-full-overlay-sidebar"
autocomplete="off">
}}}
and...
* LastPass didn't prompt for password fields (yeah!), but the first
''text'' field (surprising!) was prompted to me. I'm guessing this is a
bug on their end.
* 1password still prompted for a password save on a password field (worse
than LastPass) but never offered to save any text field (better than
LastPass but unaffected by '''autocomplete="off"''')
So...
* LastPass seems to respect '''autocomplete="off"''' (in a buggy way) even
though their own support site documents a different way (per ''field'',
not ''form'').
* I found
https://discussions.agilebits.com/discussion/comment/331839/#Comment_331839
where a 1password employee states that they purposefully ignore
'''autocomplete="off"''' and says most other password managers do too. He
said they wouldn't if site owners would use it correctly, but that it's
abused (e.g. banks not wanting you to store your password).
Based on all this information, should '''autocomplete="off"''' be added to
core's '''<form>''' -- because passwords aren't/shouldn't be set/updated
via the Customizer, right? -- and then at least it'd be best practice even
though password managers may not respect it?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41636#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list