Firefox/Features/Form Autofill/Privacy & Security Considerations
Some things to keep in mind while working on form autofill relating to privacy/security:
- <input type=hidden>
- Fields hidden/obscured/off-screen
- attacks where the user is tricked into interacting with the autocomplete popup (e.g. clickjacking)
- security state of the page e.g. HTTPS vs. HTTP, invalid certificate, etc.
- Most relevant for payment information
- clickjacking on doorhangers
- Private browsing mode - don't save submitted info or touch storage metadata
- Integrate with Clear Recent History / Sanitizer?
- Don't save the CVV anywhere (including form history)
- Authentication: Re-prompt before showing plaintext
- Denial of service from large amounts of submitted data in forms