[ https://issues.apache.org/jira/browse/DRILL-8391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Turton updated DRILL-8391: -------------------------------- Summary: Disable auto complete on the password field of the web UI login forms (was: Disable auto complete on the password field of the web UI login form) > Disable auto complete on the password field of the web UI login forms > --------------------------------------------------------------------- > > Key: DRILL-8391 > URL: https://issues.apache.org/jira/browse/DRILL-8391 > Project: Apache Drill > Issue Type: Improvement > Components: Web Server > Affects Versions: 1.20.3 > Reporter: James Turton > Assignee: James Turton > Priority: Trivial > Fix For: 1.21.0 > > > In order to avoid triggering security scanners it is necessary to set > autocomplete = "off" on the password field in the web UI login form. This > change probably has no real world security benefit because > {quote}Even without a master password, in-browser password management is > generally seen as a net gain for security. Since users do not have to > remember passwords that the browser stores for them, they are able to choose > stronger passwords than they would otherwise. > For this reason, many modern browsers do not support {{autocomplete="off"}} > for login fields: > {quote} > * > > {quote}If a site sets {{autocomplete="off"}} for a > [{{<form>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form], > and the form includes username and password input fields, then the browser > still offers to remember this login, and if the user agrees, the browser will > autofill those fields the next time the user visits the page. > {quote} * > {quote}If a site sets {{autocomplete="off"}} for username and password > [{{<input>}}|https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input] > fields, then the browser still offers to remember this login, and if the user > agrees, the browser will autofill those fields the next time the user visits > the page > {quote} > Excerpt taken from [this Mozilla Developer Network > page|https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion]. -- This message was sent by Atlassian Jira (v8.20.10#820010)