Secure Variables - GOCD auto saves user credentials?

[Jason Duff]

As of version 18.7.0 GO appears to auto save my AD credentials every time I edit/save an environment variable for a pipeline.  In addition, every time i save, it adds another one/duplicate and then says it can't save because there are duplicate environment variables.

Upon further investigation, this appears to be an "autocomplete" feature of Chrome.  It is likely picking up the credentials from when I log into GO initially and, if Chrome autocomplete/caching

feature is on, it will save and populate the fields in the secure variables section as well.

This may be due to the use of the "autocomplete='off'" attribute on the input field.  I think it needs to be something else as it appears Chrome is ignoring it.

Thoughts?

Thanks.

[Aravind SV]

Hello Jason,

The GitHub issue #4744 is probably relevant. Browsers, especially Chrome, seem to have made changes recently which ignore attempts to turn off saving of credentials. In that issue, Aditya links to Chrome bug 468153 which links to other issues. We don't like the behavior as well, but the Chrome team has taken a strong stance against allowing that.

If anyone has ideas on how to handle non-login password fields (which the secure environment variable field is), we're all ears. One approach I've thought of is to rewrite it, using Javascript, as a normal text field, but it's frustrating since this should be handled by the browser. PRs are especially welcome, of course.

Regards,

Aravind