Re: Add autocomplete attribute to contrib.auth fields?

[Adam Johnson]

I wouldn't think such pentest tools are a major concern, as I'd guess not
many users have to meet such requirements, and it would always be possible
to subclass the forms and set autocomplete=off where appropriate. Also the
referred mdn docs

state
that autocomplete=off is often ignored.

Browser may be limited but I would think it's fine to add them now, they'll
ignore the values they don't know until they support them.



On Sat, 25 Aug 2018 at 20:11, Tom Forbes  wrote:

> I don’t have much to add other than it’s pretty common for pentests to
> flag autocomplete being enabled on sensitive fields (email/password) and
> recommend disabling it (autocomplete=off). While I’m not sure if I agree
> with that recommendation in some situations you have little choice but to
> follow it.
>
>
>
>
> On 25 August 2018 at 16:54:08, Tim Graham (timogra...@gmail.com) wrote:
>
> Browser support looks somewhat limited, so I wanted to ask if there are
> any concerns or drawbacks with adding
> autocomplete=username/email/current-password/new-password to contrib.auth's
> forms?
>
>
> Pull request: ​https://github.com/django/django/pull/9921
>
>
> From the ticket [https://code.djangoproject.com/ticket/29379]:
>
>
> The most useful one is autocomplete=new-password, which prevents browsers
> prefill with current password, Chrome will also suggest a random strong
> password for users who turned on account sync.
> Related docs:
> ​
> https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill
> ​
> https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands
> ​
> https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/d398c554-3fe2-4e0f-9deb-a61dabc4cbf3%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/CAFNZOJMektU_6pQ6vXnRrBHEisGbUzp8sm-cE2m0-597dShHGA%40mail.gmail.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
Adam

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM2%3DPsWhjsdLr-EHOhGZOurCC1DKn2g%2BqF8e1qUFoOgm%2Bg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: Add autocomplete attribute to contrib.auth fields?

[Tom Forbes]

I don’t have much to add other than it’s pretty common for pentests to flag
autocomplete being enabled on sensitive fields (email/password) and
recommend disabling it (autocomplete=off). While I’m not sure if I agree
with that recommendation in some situations you have little choice but to
follow it.




On 25 August 2018 at 16:54:08, Tim Graham (timogra...@gmail.com) wrote:

Browser support looks somewhat limited, so I wanted to ask if there are any
concerns or drawbacks with adding
autocomplete=username/email/current-password/new-password to contrib.auth's
forms?


Pull request: ​https://github.com/django/django/pull/9921


>From the ticket [https://code.djangoproject.com/ticket/29379]:


The most useful one is autocomplete=new-password, which prevents browsers
prefill with current password, Chrome will also suggest a random strong
password for users who turned on account sync.
Related docs:
​
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill
​
https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands
​
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
--
You received this message because you are subscribed to the Google Groups
"Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-developers/d398c554-3fe2-4e0f-9deb-a61dabc4cbf3%40googlegroups.com

.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAFNZOJMektU_6pQ6vXnRrBHEisGbUzp8sm-cE2m0-597dShHGA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Add autocomplete attribute to contrib.auth fields?

[Tim Graham]

Browser support looks somewhat limited, so I wanted to ask if there are any 
concerns or drawbacks with adding 
autocomplete=username/email/current-password/new-password to contrib.auth's 
forms?


Pull request: ​https://github.com/django/django/pull/9921


>From the ticket [https://code.djangoproject.com/ticket/29379]:


The most useful one is autocomplete=new-password, which prevents browsers 
prefill with current password, Chrome will also suggest a random strong 
password for users who turned on account sync.
Related docs:
​
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill
​
https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands
​
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/d398c554-3fe2-4e0f-9deb-a61dabc4cbf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.