[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Autocomplete attribute

From: "Benjamin Hawkes-Lewis" <benjaminhawkeslewis@xxxxxxxxxxx>
Subject: [WEB SECURITY] Autocomplete attribute
Date: Mon, 07 Aug 2006 15:40:54 +0100

Many mainstream web user agents (Internet Explorer, Gecko-based browsers, Konqueror, and WebKit-based browsers like Safari) support a non-standard HTML "autocomplete" attribute on "form" and "input" elements that can inhibit the storage and autofilling of sensitive data in HTML forms. I'm drafting a proposal to create a namespace to allow an attribute corresponding to the existing HTML "autocomplete" attribute to be employed in web documents using XHTML.

The basic reason is that, despite its known weaknesses, banks and "experts" continue to demand it, and, despite the existence of alternative techniques, it is commonly employed in JavaScript-based web applications such as Google Suggest. I don't wish to see web authors' inability to use their cherished "autocomplete" attribute become yet another barrier to the adoption of newer W3C standards.

However, I'm also interested in collecting considered security opinion for and against "autocomplete", and compiling alternatives (e.g. user education, nonces, one-shot passwords) for those determined to make their websites more secure and keep users' sensitive data safer.

However, I am not by any means a security buff and I wanted to consult people who are. It was suggested to me that I should post a link to my draft to this list for discussion:

http://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML

I hope it's food for thought if nothing else.

----
Benjamin Hawkes-Lewis

_________________________________________________________________ Be the first to hear what's new at MSN - sign up to our free newsletters! http://www.msn.co.uk/newsletters

---------------------------------------------------------------------------- The Web Security Mailing List: http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/archive/ http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Follow-Ups:
- Re: [WEB SECURITY] Autocomplete attribute
  - From: Andrew van der Stock

Prev by Date: Re: [WEB SECURITY] JavaScript Malware, port scanning, and beyond
Next by Date: Re: [WEB SECURITY] Autocomplete attribute
Previous by thread: Re: [WEB SECURITY] Detecting, Analyzing, and Exploiting Intranet Applications using JavaScript
Next by thread: Re: [WEB SECURITY] Autocomplete attribute
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site