Contact emails
jdrag...@gmail.com
Summary
Remove pseudo classes :-internal-autofill-previewed and :-internal-autofill-selected.
Un-expose these two classes and make them available for UA stylesheets only.
Each class represents:
:-internal-autofill-previewed class - fields are filled when hovering over an autofill suggestion
:-internal-autofill-selected - fields are filled with a selected autofill suggestion
Motivation
Although being -internal-prefixed pseudo classes, these two pseudo classes have erroneously been exposed for author use. It can be used by a side channel to extract information from autofill before the user decides to disclose it to the website. Those pseudo classes should be only allowed in UA sheets. -internal prefix is used means that we did not intend to expose in the first place. So, there are no :-webkit-* versions of those.
Interoperability and Compatibility Risk
Edge: Not supported
Firefox: Not supported
Safari: Not supported
Alternative implementation suggestion for web developers
The default styling does not get overridden in preview state and selected state.
Only can use :-webkit-autofill pseudo-classes for autofilled state (matched input elements which have been autofilled by user agent).
Usage information from UseCounter
There is no estimated data from UseCounter.
Entry on the feature dashboard
https://chromestatus.com/feature/5778154275733504
<thinking outloud>
Do we think its worth adding one? Or perhaps looking for usage in HTTPArchive as a proxy? I suspect fallout from removing this feature would be pretty minimal - designs might look different in some cases, so perhaps side-channel concerns are overriding here. Not sure if outreach would even be worthwhile, were we to find a popular site or library using this, since there's no recommended alternative.
</thinking outloud>
Entry on the feature dashboard
https://chromestatus.com/feature/5778154275733504
Is there a crbug where interested folks can follow along?
thanks,
Mike
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bc31bca8-7b9d-b233-cece-f39f6fc38592%40chromium.org.
> It can be used by a side channel to extract information from autofill before the user decides to disclose it to the website.Does "information" mean actual data (credentials)? Or is the fact that something was autofilled also bad to be exposed (because it basically means the user probably has an account on that website)?(I ask because there are other ways to find out about the latter)
☆Phistuc
Entry on the feature dashboard
https://chromestatus.com/feature/5778154275733504Is there a crbug where interested folks can follow along?
Even if the other ways are uncommon, they will probably get picked up once this is gone.I am aware of one way that is not being misused - a React-and-Redux-Form-based website had to find out whether autofill happened because otherwise the login submit button remains disabled and the user had to delete one of the autofilled values and re-enter it.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_KvjXOrJ5WPoRJ%2BuAKpQ9tyRGJu%3D7vsEkpqgN1d8MRkzw%40mail.gmail.com.
+Dominic Battre for feedback.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_KvjXOrJ5WPoRJ%2BuAKpQ9tyRGJu%3D7vsEkpqgN1d8MRkzw%40mail.gmail.com.
--Google Germany GmbH - Erika-Mann-Str. 33 - 80636 München - GermanyRegistergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
+Dominic Battre for feedback.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_KvjXOrJ5WPoRJ%2BuAKpQ9tyRGJu%3D7vsEkpqgN1d8MRkzw%40mail.gmail.com.
--Google Germany GmbH - Erika-Mann-Str. 33 - 80636 München - GermanyRegistergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado