On Tue, Jan 9, 2018 at 8:43 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 01/01/18 20:08, Jonathan Kingston wrote: > > A recent research post[1] have highlighted the need for Firefox to > disable > > autofilling of credentials. The research post suggests web trackers are > > using autofilling to track users around the web. > > Autofill is restricted to same-domain (roughly) so how can they track > users "around the web"? The third party JS is loaded into the page's context: "Thus, third-party javascript can retrieve the saved credentials by creating a form with the username and password fields, which will then be autofilled by the login manager." Other than not being cleared when cookies are cleared, how is this > technique more powerful than a cookie containing one's email address? > Being unclearable is certainly more powerful, but it also allows cross-correlation between different tracking domains because the identifiers are stable. -Ekr > Autofill is an extremely, extremely convenient browser function, and the > fact that Firefox's current implementation doesn't always do the right > thing (e.g. offering me 3 choices of username and, when I pick one, 3 > choices of password rather than autofilling the one which matches the > username, </grump>) is a source of regular frustration. Let's not break > the usability more. > > Gerv > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform > _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform