Firefox/Features/Form Autofill/Privacy & Security Considerations: Difference between revisions

From MozillaWiki
Jump to navigation Jump to search
(add DOS)
(MP => OS auth)
 
Line 11: Line 11:
* Integrate with Clear Recent History / Sanitizer?
* Integrate with Clear Recent History / Sanitizer?
* Don't save the CVV anywhere (including form history)
* Don't save the CVV anywhere (including form history)
* Master password: Re-prompt before showing plaintext
* Authentication: Re-prompt before showing plaintext
* Denial of service from large amounts of submitted data in forms
* Denial of service from large amounts of submitted data in forms

Latest revision as of 06:34, 30 June 2020

Some things to keep in mind while working on form autofill relating to privacy/security:

  • <input type=hidden>
  • @hidden
  • Fields hidden/obscured/off-screen
  • @autocomplete=off
  • attacks where the user is tricked into interacting with the autocomplete popup (e.g. clickjacking)
  • security state of the page e.g. HTTPS vs. HTTP, invalid certificate, etc.
    • Most relevant for payment information
  • clickjacking on doorhangers
  • Private browsing mode - don't save submitted info or touch storage metadata
  • Integrate with Clear Recent History / Sanitizer?
  • Don't save the CVV anywhere (including form history)
  • Authentication: Re-prompt before showing plaintext
  • Denial of service from large amounts of submitted data in forms
Retrieved from "https://wiki.mozilla.org/index.php?title=Firefox/Features/Form_Autofill/Privacy_%26_Security_Considerations&oldid=1228633"