[
https://issues.apache.org/jira/browse/DRILL-8391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Turton updated DRILL-8391:
--------------------------------
Description:
In order to avoid triggering security scanners it is necessary to set
autocomplete = false on the password field in the web UI login form. This
change probably has no real world security benefit because
{quote}Even without a master password, in-browser password management is
generally seen as a net gain for security. Since users do not have to remember
passwords that the browser stores for them, they are able to choose stronger
passwords than they would otherwise.
For this reason, many modern browsers do not support {{autocomplete="off"}} for
login fields:
{quote} *
{quote}If a site sets {{autocomplete="off"}} for a
[{{<form>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form],
and the form includes username and password input fields, then the browser
still offers to remember this login, and if the user agrees, the browser will
autofill those fields the next time the user visits the page.{quote}
*
{quote}If a site sets {{autocomplete="off"}} for username and password
[{{<input>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input]
fields, then the browser still offers to remember this login, and if the user
agrees, the browser will autofill those fields the next time the user visits
the page{quote}
Excerpt taken from [this Mozilla Developer Network
page|https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion].
was:In order to avoid triggering security scanners it is necessary to set
autocomplete = false on the password field in the web UI login form.
> Disable auto complete on the password field of the web UI login form
> --------------------------------------------------------------------
>
> Key: DRILL-8391
> URL: https://issues.apache.org/jira/browse/DRILL-8391
> Project: Apache Drill
> Issue Type: Improvement
> Components: Web Server
> Affects Versions: 1.20.3
> Reporter: James Turton
> Assignee: James Turton
> Priority: Minor
> Fix For: 1.21.0
>
>
> In order to avoid triggering security scanners it is necessary to set
> autocomplete = false on the password field in the web UI login form. This
> change probably has no real world security benefit because
> {quote}Even without a master password, in-browser password management is
> generally seen as a net gain for security. Since users do not have to
> remember passwords that the browser stores for them, they are able to choose
> stronger passwords than they would otherwise.
> For this reason, many modern browsers do not support {{autocomplete="off"}}
> for login fields:
> {quote} *
> {quote}If a site sets {{autocomplete="off"}} for a
> [{{<form>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form],
> and the form includes username and password input fields, then the browser
> still offers to remember this login, and if the user agrees, the browser will
> autofill those fields the next time the user visits the page.{quote}
> *
> {quote}If a site sets {{autocomplete="off"}} for username and password
> [{{<input>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input]
> fields, then the browser still offers to remember this login, and if the user
> agrees, the browser will autofill those fields the next time the user visits
> the page{quote}
> Excerpt taken from [this Mozilla Developer Network
> page|https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
