Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Added autocomplete="off" to some password fields #275

Closed
wants to merge 1 commit into from
Closed

Added autocomplete="off" to some password fields #275

wants to merge 1 commit into from

Conversation

FranseHamburger
Copy link

No description provided.

chvp
chvp reviewed May 24, 2024
View reviewed changes
Copy link
Member

@chvp chvp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See also: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#the_autocomplete_attribute_and_login_fields

templates/session/login.html
@@ -34,7 +34,7 @@

<div class="field">
<label class="label">Password</label>
<input class="input is-medium" name="password" type="password" placeholder="Password" required />
<input class="input is-medium" name="password" type="password" placeholder="Password" required autocomplete="off" />
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would we not want autocomplete when signing in? I think we want to allow people to use password managers?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We got an email from UGent's automated vuln scanner
image

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After looking at this a bit better; I don't really agree with the vuln scanner, and think the best course of action is emailing DICT to disable those plugins. Another garbage detection as an example:
image

redfast00
redfast00 requested changes May 24, 2024
View reviewed changes
Copy link
Member

@redfast00 redfast00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, maybe we shouldn't do this; I think we should email UGent instead

@rien
Copy link
Collaborator

rien commented Jun 19, 2024

I am also against this, as this creates a less secure situation in my option.

@rien rien closed this Jun 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chvp chvp chvp left review comments

@redfast00 redfast00 redfast00 requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@FranseHamburger @rien @redfast00 @chvp