Remove email/password prefilling via URL

app/controllers/users/sessions_controller.rb

@@ -13,6 +13,7 @@ class SessionsController < Devise::SessionsController
     before_action :check_user_needs_redirect, only: [:new]
     before_action :apply_secure_headers_override, only: [:new, :create]
     before_action :clear_session_bad_password_count_if_window_expired, only: [:create]
+    before_action :update_devise_params_sanitizer, only: [:new]
 
     def new
       analytics.sign_in_page_visit(
@@ -236,6 +237,10 @@ def override_csp_for_google_analytics
       policy.connect_src(*policy.connect_src, 'www.google-analytics.com')
       request.content_security_policy = policy
     end
+
+    def update_devise_params_sanitizer
+      devise_parameter_sanitizer.permit(:sign_in, except: [:email, :password])
+    end
   end
 
   def unsafe_redirect_error(_exception)

spec/controllers/users/sessions_controller_spec.rb

@@ -639,6 +639,22 @@
         get :new, params: { user: 'this_is_not_a_hash' }
       end.to_not raise_error
     end
+
+    context 'with prefilled email/password via url params' do
+      render_views
+
+      it 'does not prefill the form' do
+        email = Faker::Internet.safe_email
+        password = SecureRandom.uuid
+
+        get :new, params: { user: { email: email, password: password } }
+
+        doc = Nokogiri::HTML(response.body)
+
+        expect(doc.at_css('input[name="user[email]"]')[:value]).to be_nil
+        expect(doc.at_css('input[name="user[password]"]')[:value]).to be_nil
+      end
+    end
   end
 
   describe 'POST /sessions/keepalive' do