Intent to prototype and ship: input-security css property

453 views
Skip to first unread message

Emilio Cobos Álvarez

unread,
Oct 12, 2021, 3:55:32 PM10/12/21
to Mozilla
Summary: The input-security property allows password fields to be
unmasked. This allows pages to make "reveal password" buttons etc.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1735384

Standard: https://drafts.csswg.org/css-ui-4/#input-security

Platform coverage: All

Preference: layout.css.input-security.enabled

DevTools bug: N/A

Other browsers:

* WebKit and Blink allow to do this via prefixed -webkit-text-security.
* WebKit has implemented the standard property already:
https://bugs.webkit.org/show_bug.cgi?id=184510

web-platform-tests: They exist, and they pass with my patch.

Let me know if there's any concern with this property. We have unmasking
capabilities for autofilled passwords already, this basically gives the
page authors the tool to do the same.

I could see this perhaps being used maliciously, though then again, a
page can also switch input.type to "text" to reveal the password using
JS, so...

-- Emilio
Reply all
Reply to author
Forward
0 new messages