Intent to prototype and ship: input-security css property
426 views
Skip to first unread message
Emilio Cobos Álvarez
Oct 12, 2021, 3:55:32 PM10/12/21
to Mozilla
Summary: The input-security property allows password fields to be
unmasked. This allows pages to make "reveal password" buttons etc.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1735384
Standard: https://drafts.csswg.org/css-ui-4/#input-security
Platform coverage: All
Preference: layout.css.input-security.enabled
DevTools bug: N/A
Other browsers:
* WebKit and Blink allow to do this via prefixed -webkit-text-security.
* WebKit has implemented the standard property already:
https://bugs.webkit.org/show_bug.cgi?id=184510
web-platform-tests: They exist, and they pass with my patch.
Let me know if there's any concern with this property. We have unmasking
capabilities for autofilled passwords already, this basically gives the
page authors the tool to do the same.
I could see this perhaps being used maliciously, though then again, a
page can also switch input.type to "text" to reveal the password using
JS, so...
-- Emilio
unmasked. This allows pages to make "reveal password" buttons etc.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1735384
Standard: https://drafts.csswg.org/css-ui-4/#input-security
Platform coverage: All
Preference: layout.css.input-security.enabled
DevTools bug: N/A
Other browsers:
* WebKit and Blink allow to do this via prefixed -webkit-text-security.
* WebKit has implemented the standard property already:
https://bugs.webkit.org/show_bug.cgi?id=184510
web-platform-tests: They exist, and they pass with my patch.
Let me know if there's any concern with this property. We have unmasking
capabilities for autofilled passwords already, this basically gives the
page authors the tool to do the same.
I could see this perhaps being used maliciously, though then again, a
page can also switch input.type to "text" to reveal the password using
JS, so...
-- Emilio
Reply all
Reply to author
Forward
0 new messages