Re: Password autofilling

On Sun, Jan 21, 2018 at 6:29 PM, Jonathan Kingston wrote: >> But this vector is not realistic. The website _included_ the thirdparty. >> They want this tracking to occur. If we blocked invisible login forms from >> autofill - the website will make the forms unobtrusively visible

Re: Password autofilling

> But this vector is not realistic. The website _included_ the thirdparty. They want this tracking to occur. If we blocked invisible login forms from autofill - the website will make the forms unobtrusively visible so they get autofilled. Do we know this? My understanding was most research

Re: Password autofilling

It seems we are in a bad position here. There's two vectors: The browser and the website are collaborating to mitigate tracking by a third party. The third party makes an invisible login form - well we can restrict autofill to only visible elements. Or make a write-only form field that prevents

Re: Password autofilling

I wanted to follow up to make it clear what the change would look like. Here is what autofill population looks like: ​ Here is what the it looks like after autofill is disabled: This then becomes consistent with Private Browsing mode and HTTP sites already work. This is also consistent with how

Re: Password autofilling

On Tue, Jan 9, 2018 at 8:43 AM, Gervase Markham wrote: > On 01/01/18 20:08, Jonathan Kingston wrote: > > A recent research post[1] have highlighted the need for Firefox to > disable > > autofilling of credentials. The research post suggests web trackers are > > using

Re: Password autofilling

On 01/01/18 20:08, Jonathan Kingston wrote: > A recent research post[1] have highlighted the need for Firefox to disable > autofilling of credentials. The research post suggests web trackers are > using autofilling to track users around the web. Autofill is restricted to same-domain (roughly) so

Re: Password autofilling

So it turns out dev-platform is plain text. Here is a link explaining the states instead: https://imgur.com/a/JO6pk Thanks Jonathan On Mon, Jan 8, 2018 at 2:10 PM, Jonathan Kingston wrote: > I wanted to follow up to make it clear what the change would look like. > > Here is

Fwd: Password autofilling

I wanted to follow up to make it clear what the change would look like. Here is what autofill population looks like: Here is what the it looks like after autofill is disabled: ​ This then becomes consistent with Private Browsing mode and HTTP sites already work. This is also consistent with

Re: Password autofilling

There are some other alternatives that we could take here: 1. Improve the UX of autofill a. present the credentials to the user on visible forms when the page loads - Google had a project on doing this and it never got completed. It appears there are many issues with this solution [4]. 2.

Re: Password autofilling

Am 02.01.18 um 17:22 schrieb Gijs Kruitbosch: On 01/01/2018 20:08, Jonathan Kingston wrote: We have the ability to turn off the whole login manager within Firefox preferences: "Remember logins and passwords for web sites" but no way to prevent autofill. There's an about:config pref, as [1]

Re: Password autofilling

On 01/01/2018 20:08, Jonathan Kingston wrote: We have the ability to turn off the whole login manager within Firefox preferences: "Remember logins and passwords for web sites" but no way to prevent autofill. There's an about:config pref, as [1] points out, which does this. I wonder if there's

Password autofilling

A recent research post[1] have highlighted the need for Firefox to disable autofilling of credentials. The research post suggests web trackers are using autofilling to track users around the web. Currently we take the stance to require user interaction for addresses and credit card filling,