Add autocomplete attribute to contrib.auth fields?
Tim Graham
Browser support looks somewhat limited, so I wanted to ask if there are any concerns or drawbacks with adding autocomplete=username/email/current-password/new-password to contrib.auth's forms?
Pull request: https://github.com/django/django/pull/9921
From the ticket [https://code.djangoproject.com/ticket/29379]:
The most useful one is autocomplete=new-password, which prevents
browsers prefill with current password, Chrome will also suggest a
random strong password for users who turned on account sync.
https://html.spec.whatwg.org/multipage/form-control-infrastructure.html#autofill
https://www.chromium.org/developers/design-documents/form-styles-that-chromium-understands
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion#The_autocomplete_attribute_and_login_fields
Tom Forbes
I don’t have much to add other than it’s pretty common for pentests to flag autocomplete being enabled on sensitive fields (email/password) and recommend disabling it (autocomplete=off). While I’m not sure if I agree with that recommendation in some situations you have little choice but to follow it.
--
You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/d398c554-3fe2-4e0f-9deb-a61dabc4cbf3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Adam Johnson
To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFNZOJMektU_6pQ6vXnRrBHEisGbUzp8sm-cE2m0-597dShHGA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.