[
https://issues.apache.org/struts/browse/STR-3189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jim Manico updated STR-3189:
----------------------------
Description:
I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest
release of the 1.x Struts line.
I would like the ability to disable autocomplete in an HTML form. Sadly (from a
security perspective), most every browser enables autocomplete by default. We
need to explicitly attribute our form html with autocomplete="off" - in both
the form and form element tags of HTML 4.01+ pages. This is a very basic
security protection. Wanting to preventing the browser from caching credit card
number, PII and other critical user data is a no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. Finally
for the first time the main Struts 1.3.x branch supports the autocomplete tag
(which defensive coders need - just to disable this feature via html!). But
it's still not enabled by default in Struts! I need to modify the struts tld
xml file in order to enable the autocomplete form and form element attribute;
which takes me off the main branch of Struts 1.3.x.
I implore you to consider enabling autocomplete by default, so we can turn it
off - without having to customize our version of struts 1.3.x! The best
security is "secured by default", and this request moves us in that direction.
Jim Manico
OWASP, Intrinsic Security Working Group
was:
I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest
release of the 1.x Struts line.
I would like the ability to disable autocomplete in an HTML form. This is
really a basic security principle that all modern browsers support even when
rendering 4.01 transitional. Sadly, by default, most every browser enables
autocomplete. We need to explicitly say autocomplete="off" in both the form and
form element tags in order to gain this very basic security protection.
Preventing the browser from caching credit card number and the like is a
no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. Finally
for the first time the main Struts 1.3.x branch supports the Autocomplete tag
(just so we can disable this feature). But it's still not enabled by default!
I need to modify the tld in order to enable the autocomplete form and form
element attribute; which takes me off the main branch of Struts 1.3.x.
I implore you to consider enabling autocomplete by default, so we can turn it
off - for real! The best security is "secured by default".
Jim Manico
OWASP, Intrinsic Security Working Group
> Enable the Autocomplete tag by default
> --------------------------------------
>
> Key: STR-3189
> URL: https://issues.apache.org/struts/browse/STR-3189
> Project: Struts 1
> Issue Type: Improvement
> Components: Tag Libraries
> Affects Versions: 1.3.10
> Environment: All
> Reporter: Jim Manico
>
> I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest
> release of the 1.x Struts line.
> I would like the ability to disable autocomplete in an HTML form. Sadly (from
> a security perspective), most every browser enables autocomplete by default.
> We need to explicitly attribute our form html with autocomplete="off" - in
> both the form and form element tags of HTML 4.01+ pages. This is a very basic
> security protection. Wanting to preventing the browser from caching credit
> card number, PII and other critical user data is a no-brainier; appsec 101.
>
> Now, the recent 1.3.10 release made a great stride in this direction. Finally
> for the first time the main Struts 1.3.x branch supports the autocomplete tag
> (which defensive coders need - just to disable this feature via html!). But
> it's still not enabled by default in Struts! I need to modify the struts tld
> xml file in order to enable the autocomplete form and form element attribute;
> which takes me off the main branch of Struts 1.3.x.
> I implore you to consider enabling autocomplete by default, so we can turn it
> off - without having to customize our version of struts 1.3.x! The best
> security is "secured by default", and this request moves us in that
> direction.
> Jim Manico
> OWASP, Intrinsic Security Working Group
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
