Firefox/Features/Form Autofill/Privacy & Security Considerations

From MozillaWiki
Jump to: navigation, search

Some things to keep in mind while working on form autofill relating to privacy/security:

  • <input type=hidden>
  • @hidden
  • Fields hidden/obscured/off-screen
  • @autocomplete=off
  • attacks where the user is tricked into interacting with the autocomplete popup (e.g. clickjacking)
  • security state of the page e.g. HTTPS vs. HTTP, invalid certificate, etc.
    • Most relevant for payment information
  • clickjacking on doorhangers
  • Private browsing mode - don't save submitted info or touch storage metadata
  • Integrate with Clear Recent History / Sanitizer?
  • Don't save the CVV anywhere (including form history)
  • Authentication: Re-prompt before showing plaintext
  • Denial of service from large amounts of submitted data in forms