[sf-lug] what's the mechanism that a website can use to prevent stored information from filling out a form?

Michael Shiloh michaelshiloh1010 at gmail.com
Mon Jun 23 17:32:38 PDT 2014 

Technically, both the web page and the browser share the responsibility: 
the web page must have:

  autocomplete = "off"

and the browser must honor it.

I wish all sensitive services (e.g. banks) would have autocomplete 
turned off, but of course that's not up to me and others might disagree. 
Of course I know that if I use a public or shared computer to access 
sensitive services I alone am to blame.

However, the reason I brought this up was to understand why this 
behavior suddenly change, after years of not allowing autocomplete. I 
understand now it's because FF 30 removed this ability.

Thanks everyone, this has been educational, as always.

Michael

On 06/23/2014 03:52 PM, Samir Faci wrote:
> I really don't think it's on the bank side to disable that feature.  It's
> your choice if you allow a certain form to remember your user/password.
>   The example you were giving is for Firefox.
>
> If they fix it for FF, then they would have to address it on every browser,
> OS, mobile, PC combination.  I don't think that's feasible.  Their
> responsibility really ends at the browser.
>
> If you choose to use IE6, well it's your own fault.  If you choose to store
> all your user/passwords in a password manager... or only access your bank
> website through a VM that has no persistent data on shut down.
>
> Your level of security and lack there of is completely at your discretion.
>   Your bank is responsible for securing against weak passwords, cross side
> scripting, SQL injections, but I don't think they should do anything
> regarding
> the issue you were describing.
>
> Just my 2 cents though.. you're free to email them and ask.
>
>
>
>
>
>
> On Sun, Jun 22, 2014 at 5:25 PM, Michael Shiloh <michaelshiloh1010 at gmail.com
>> wrote:
>
>> Thanks. That's very helpful.
>>
>> Especially
>>
>>
>>   A more complete description is here:
>>>
>>> https://developer.mozilla.org/en-US/docs/Web/Security/
>>> Securing_your_site/Turning_off_form_autocompletion
>>>
>>
>> Wherein:
>>
>> "Note: The ability for websites to disable the password manager using
>> autocomplete = "off"  is being removed in Firefox 30 (bug 956906)"
>>
>> In fact, I'm using FF 30, so possibly the "feature" is with Firefox and
>> not the fault of my bank. I can't recall when my FF changed to 30.
>>
>> Thanks again,
>> Michael
>>
>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/
>>
>
>
>

More information about the sf-lug mailing list