[wp-trac] [WordPress Trac] #41136: Login forms lacking autocomplete attributes
WordPress Trac
noreply at wordpress.org
Mon Mar 28 00:00:12 UTC 2022
#41136: Login forms lacking autocomplete attributes
------------------------------+--------------------------------------------
Reporter: johnjamesjacoby | Owner: joedolson
Type: defect (bug) | Status: accepted
Priority: normal | Milestone: 6.0
Component: Login and | Version:
Registration |
Severity: normal | Resolution:
Keywords: needs-patch | Focuses: accessibility, administration
------------------------------+--------------------------------------------
Comment (by peterwilsoncc):
Replying to [comment:12 joedolson]:
> One thing I think this will need is to provide a filter so that
autocomplete can be disabled; sites with higher security needs might need
an easy way to disable this feature.
According to caniuse, browsers ignore `off` for the following fields
* Chrome, Edge: intentionally ignores `autocomplete="off"` when the user
uses the browser's autofill functionality.
* Firefox: ignores `autocomplete="off"` for login forms
* Safari: ignores the `off` value for username, email and password fields
It's also worth noting that since [comment:3 comment#3] several years ago,
support for autocomplete has become universal with the exceptions noted
above.
> Overall, however, I think this is more of a benefit than a potential for
harm. Would benefit from some additional voices on the security side,
however.
From a security perspective, I think it's fine to include the autocomplete
values. I don't think adding filters is necessary given the browser
manufacturers' decisions documented above.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/41136#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list