[wp-trac] [WordPress Trac] #61702: Post via email: Login Name field triggers Safari's login autocomplete

WordPress Trac noreply at wordpress.org
Thu Jul 18 21:57:05 UTC 2024 

#61702: Post via email: Login Name field triggers Safari's login autocomplete
----------------------------+-----------------------------
 Reporter:  ironprogrammer  |      Owner:  (none)
     Type:  enhancement     |     Status:  new
 Priority:  low             |  Milestone:  Awaiting Review
Component:  Administration  |    Version:
 Severity:  normal          |   Keywords:
  Focuses:                  |
----------------------------+-----------------------------
 In Safari, when navigating to ''Settings > Writing'', the "Post via email"
 **Login Name** field is auto-selected and the browser's autofill popup
 appears for the field (Safari's web form autofill is enabled by default).
 This field is selected/focused automatically by the browser upon
 navigating to the page. To reproduce, the user must have credentials saved
 for the WordPress site using Safari's password management feature.

 [[Image(https://cldup.com/_H3FDQ5obm.png)]]

 After some testing, the autofill popup appears to be triggered by the term
 "Login" in the field label. When the label is changed to something more
 generic (like "User"), it isn't automatically focused and the popup does
 not appear.

 **Why is this a problem?**
 IMHO, this issue stems from the prominence of this popup, which suggests
 the user should select a credential from the list. However, this isn't an
 actual login form (as password managers may assume), so autofilling these
 fields does not make sense.

 Where things could go wrong is that these are text fields stored as clear
 text in `wp_options`. If a user were to unwittingly click an available
 login fill option and save the form, then their site credentials could be
 unintentionally stored in the `mailserver_login` and `mailserver_pass`
 fields.

 Even if how Safari handles this field is the underlying issue, I think
 there could be an opportunity for WordPress to make this more user
 friendly, and to treat the field differently from a login form.

 **Why not use `autocomplete="off"`?**
 While most browsers offer [https://caniuse.com/input-autocomplete-onoff
 partial support] for this option, for security and accessibility reasons
 it is largely [https://developer.mozilla.org/en-
 US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion#managing_autofill_for_login_fields
 ignored for fields that relate to logins/credentials].

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/61702>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list