Re: Password autofilling

2018-01-21 Thread Tom Ritter
On Sun, Jan 21, 2018 at 6:29 PM, Jonathan Kingston wrote: >> But this vector is not realistic. The website _included_ the thirdparty. >> They want this tracking to occur. If we blocked invisible login forms from >> autofill - the website will make the forms unobtrusively visible

Re: Password autofilling

2018-01-21 Thread Jonathan Kingston
> But this vector is not realistic. The website _included_ the thirdparty. They want this tracking to occur. If we blocked invisible login forms from autofill - the website will make the forms unobtrusively visible so they get autofilled. Do we know this? My understanding was most research

Re: Password autofilling

2018-01-18 Thread Tom Ritter
It seems we are in a bad position here. There's two vectors: The browser and the website are collaborating to mitigate tracking by a third party. The third party makes an invisible login form - well we can restrict autofill to only visible elements. Or make a write-only form field that prevents

Re: Password autofilling

2018-01-18 Thread Jonathan Kingston
I wanted to follow up to make it clear what the change would look like. Here is what autofill population looks like: ​ Here is what the it looks like after autofill is disabled: This then becomes consistent with Private Browsing mode and HTTP sites already work. This is also consistent with how

Re: Password autofilling

2018-01-09 Thread Eric Rescorla
On Tue, Jan 9, 2018 at 8:43 AM, Gervase Markham wrote: > On 01/01/18 20:08, Jonathan Kingston wrote: > > A recent research post[1] have highlighted the need for Firefox to > disable > > autofilling of credentials. The research post suggests web trackers are > > using

Re: Password autofilling

2018-01-09 Thread Gervase Markham
On 01/01/18 20:08, Jonathan Kingston wrote: > A recent research post[1] have highlighted the need for Firefox to disable > autofilling of credentials. The research post suggests web trackers are > using autofilling to track users around the web. Autofill is restricted to same-domain (roughly) so

Re: Password autofilling

2018-01-08 Thread Jonathan Kingston
So it turns out dev-platform is plain text. Here is a link explaining the states instead: https://imgur.com/a/JO6pk Thanks Jonathan On Mon, Jan 8, 2018 at 2:10 PM, Jonathan Kingston wrote: > I wanted to follow up to make it clear what the change would look like. > > Here is

Re: Password autofilling

2018-01-02 Thread Jonathan Kingston
There are some other alternatives that we could take here: 1. Improve the UX of autofill a. present the credentials to the user on visible forms when the page loads - Google had a project on doing this and it never got completed. It appears there are many issues with this solution [4]. 2.

Re: Password autofilling

2018-01-02 Thread Axel Hecht
Am 02.01.18 um 17:22 schrieb Gijs Kruitbosch: On 01/01/2018 20:08, Jonathan Kingston wrote: We have the ability to turn off the whole login manager within Firefox preferences: "Remember logins and passwords for web sites" but no way to prevent autofill. There's an about:config pref, as [1]

Re: Password autofilling

2018-01-02 Thread Gijs Kruitbosch
On 01/01/2018 20:08, Jonathan Kingston wrote: We have the ability to turn off the whole login manager within Firefox preferences: "Remember logins and passwords for web sites" but no way to prevent autofill. There's an about:config pref, as [1] points out, which does this. I wonder if there's