[ https://issues.apache.org/jira/browse/DRILL-8391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17679172#comment-17679172 ]
ASF GitHub Bot commented on DRILL-8391: --------------------------------------- cgivre merged PR #2743: URL: https://github.com/apache/drill/pull/2743 > Set autocomplete="off" on the password field of web UI login forms > ------------------------------------------------------------------ > > Key: DRILL-8391 > URL: https://issues.apache.org/jira/browse/DRILL-8391 > Project: Apache Drill > Issue Type: Improvement > Components: Web Server > Affects Versions: 1.20.3 > Reporter: James Turton > Assignee: James Turton > Priority: Trivial > Fix For: 1.21.0 > > > In order to avoid triggering security scanners it is necessary to set > autocomplete = "off" on the password field in the web UI login form. This > change probably has no real world security benefit because > {quote}Even without a master password, in-browser password management is > generally seen as a net gain for security. Since users do not have to > remember passwords that the browser stores for them, they are able to choose > stronger passwords than they would otherwise. > For this reason, many modern browsers do not support {{autocomplete="off"}} > for login fields: > {quote} > * > > {quote}If a site sets {{autocomplete="off"}} for a > [{{<form>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form], > and the form includes username and password input fields, then the browser > still offers to remember this login, and if the user agrees, the browser will > autofill those fields the next time the user visits the page. > {quote} * > {quote}If a site sets {{autocomplete="off"}} for username and password > [{{<input>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input] > fields, then the browser still offers to remember this login, and if the user > agrees, the browser will autofill those fields the next time the user visits > the page > {quote} > Excerpt taken from [this Mozilla Developer Network > page|https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion]. -- This message was sent by Atlassian Jira (v8.20.10#820010)