[Koha-bugs] [Bug 41737] New: Page title (and thus browser history) exposes patron names, other unnecessary PII

Fri, 30 Jan 2026 03:53:11 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=41737

            Bug ID: 41737
           Summary: Page title (and thus browser history) exposes patron
                    names, other unnecessary PII
   Initiative type: ---
        Sponsorship ---
            status:
           Product: Koha
           Version: 24.11
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Staff interface
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
                CC: [email protected]

Created attachment 192234
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=192234&action=edit
An example of the floating/quick history menu in Edge displaying full patron
names, after a staff user has logged out of Koha.

We've recently had a library express privacy concerns relating to the exposure
of full patron names, along with application verbs like "issuing to" and
"modify user" in the page title, which propagates to browser history and
persists after a staff interface logout.

While live page titles and browser history of computers used by administrative
staff should be considered "not for viewing by unauthenticated users", some
cases of computer-sharing or shoulder-surfing in a library setting seems highly
likely. This inclusion of full names in page titles to me does not seem
strictly necessary. In some testing, we find that a popular CRM also exposes
names like this in page titles, while the administrative pages of Gitea and
Cloudflare seem to make an explicit effort not to do so. Do we think this
warrants changing?

I do feel this problem can most effectively be mitigated with process changes,
but the question remains; could Koha minimise PII exposure here without
impacting functionality?

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to