Enable the Autocomplete tag by default
--------------------------------------
Key: STR-3189
URL: https://issues.apache.org/struts/browse/STR-3189
Project: Struts 1
Issue Type: Improvement
Components: Tag Libraries
Affects Versions: 1.3.10
Environment: All
Reporter: Jim Manico
I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest
release of the 1.x Struts line.
I would like the ability to disable autocomplete in an HTML form. This is
really a basic security principle that all modern browsers support even when
rendering 4.01 transitional. Sadly, by default, most every browser enables
autocomplete. We need to explicitly say autocomplete="off" in both the form and
form element tags in order to gain this very basic security protection.
Preventing the browser from caching credit card number and the like is a
no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. Finally
for the first time the main Struts 1.3.x branch supports the Autocomplete tag
(just so we can disable this feature). But it's still not enabled by default!
I need to modify the tld in order to enable the autocomplete form and form
element attribute; which takes me off the main branch of Struts 1.3.x.
I implore you to consider enabling autocomplete by default, so we can turn it
off - for real! The best security is "secured by default".
Jim Manico
OWASP, Intrinsic Security Working Group
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
