[wp-trac] [WordPress Trac] #61702: Post via email: Login Name field triggers Safari's login autocomplete
WordPress Trac
noreply at wordpress.org
Thu Jul 18 21:57:05 UTC 2024
#61702: Post via email: Login Name field triggers Safari's login autocomplete
----------------------------+-----------------------------
Reporter: ironprogrammer | Owner: (none)
Type: enhancement | Status: new
Priority: low | Milestone: Awaiting Review
Component: Administration | Version:
Severity: normal | Keywords:
Focuses: |
----------------------------+-----------------------------
In Safari, when navigating to ''Settings > Writing'', the "Post via email"
**Login Name** field is auto-selected and the browser's autofill popup
appears for the field (Safari's web form autofill is enabled by default).
This field is selected/focused automatically by the browser upon
navigating to the page. To reproduce, the user must have credentials saved
for the WordPress site using Safari's password management feature.
[[Image(https://cldup.com/_H3FDQ5obm.png)]]
After some testing, the autofill popup appears to be triggered by the term
"Login" in the field label. When the label is changed to something more
generic (like "User"), it isn't automatically focused and the popup does
not appear.
**Why is this a problem?**
IMHO, this issue stems from the prominence of this popup, which suggests
the user should select a credential from the list. However, this isn't an
actual login form (as password managers may assume), so autofilling these
fields does not make sense.
Where things could go wrong is that these are text fields stored as clear
text in `wp_options`. If a user were to unwittingly click an available
login fill option and save the form, then their site credentials could be
unintentionally stored in the `mailserver_login` and `mailserver_pass`
fields.
Even if how Safari handles this field is the underlying issue, I think
there could be an opportunity for WordPress to make this more user
friendly, and to treat the field differently from a login form.
**Why not use `autocomplete="off"`?**
While most browsers offer [https://caniuse.com/input-autocomplete-onoff
partial support] for this option, for security and accessibility reasons
it is largely [https://developer.mozilla.org/en-
US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion#managing_autofill_for_login_fields
ignored for fields that relate to logins/credentials].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/61702>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list