Summary: The input-security property allows password fields to be
unmasked. This allows pages to make "reveal password" buttons etc.
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1735384
Standard:
https://drafts.csswg.org/css-ui-4/#input-security
Platform coverage: All
Preference: layout.css.input-security.enabled
DevTools bug: N/A
Other browsers:
* WebKit and Blink allow to do this via prefixed -webkit-text-security.
* WebKit has implemented the standard property already:
https://bugs.webkit.org/show_bug.cgi?id=184510
web-platform-tests: They exist, and they pass with my patch.
Let me know if there's any concern with this property. We have unmasking
capabilities for autofilled passwords already, this basically gives the
page authors the tool to do the same.
I could see this perhaps being used maliciously, though then again, a
page can also switch input.type to "text" to reveal the password using
JS, so...
-- Emilio