Add autocomplete="off" for input type="password" to appease the scanners#56922
Merged
kobelb merged 5 commits intoelastic:masterfrom Feb 13, 2020
Merged
Add autocomplete="off" for input type="password" to appease the scanners#56922kobelb merged 5 commits intoelastic:masterfrom
kobelb merged 5 commits intoelastic:masterfrom
Conversation
kobelb
added
release_note:skip
jportner
suggested changes
Feb 9, 2020
Contributor
jportner
left a comment
jportner
left a comment
There was a problem hiding this comment.
It looks like we should also change the password fields located in x-pack/plugins/security/public/management/users/edit_user/edit_user_page.tsx.
Also, I'll edit the issue description to include a reference regarding autocomplete.
.../public/views/login/components/basic_login_form/__snapshots__/basic_login_form.test.tsx.snap
Show resolved
Hide resolved
.../legacy/plugins/security/public/views/login/components/basic_login_form/basic_login_form.tsx
Show resolved
Hide resolved
...ns/security/public/management/users/components/change_password_form/change_password_form.tsx
Show resolved
Hide resolved
...ns/security/public/management/users/components/change_password_form/change_password_form.tsx
Outdated
Show resolved
Hide resolved
...ns/security/public/management/users/components/change_password_form/change_password_form.tsx
Outdated
Show resolved
Hide resolved
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
gmmorris
added a commit
to gmmorris/kibana
that referenced
this pull request
Feb 13, 2020
* master: add `absolute` option to `getUrlForApp` (elastic#57193) [Telemetry] Migrate public to NP (elastic#56285) address flaky test where instances might have different start… (elastic#57506) fix(NA): support legacy plugins path in plugins (elastic#57472) build immutable bundles for new platform plugins (elastic#53976) [SIEM] [Detection Engine] Reject if duplicate rule_id in request payload (elastic#57057) Add autocomplete="off" for input type="password" to appease the scanners (elastic#56922) Use default spaces suffix for signals index if spaces disabled (elastic#57244) [Alerting] Create alert design cleanup (elastic#56929)
mbondyra
added a commit
to mbondyra/kibana
that referenced
this pull request
Feb 13, 2020
* master: (22 commits) Use log4j pattern syntax (elastic#57433) [ML] Categorization field example endpoint tests (elastic#57471) [Lens] Filter out pinned filters from saved object of Lens (elastic#57197) Lens client side shim cleanup (elastic#56976) [Maps] do not show border color for icon in legend when border width is zero (elastic#57501) refactors 'data-providers' tests (elastic#57474) add `absolute` option to `getUrlForApp` (elastic#57193) [Telemetry] Migrate public to NP (elastic#56285) address flaky test where instances might have different start… (elastic#57506) fix(NA): support legacy plugins path in plugins (elastic#57472) build immutable bundles for new platform plugins (elastic#53976) [SIEM] [Detection Engine] Reject if duplicate rule_id in request payload (elastic#57057) Add autocomplete="off" for input type="password" to appease the scanners (elastic#56922) Use default spaces suffix for signals index if spaces disabled (elastic#57244) [Alerting] Create alert design cleanup (elastic#56929) Management Api - add to migration guide (elastic#56892) fixing maps (elastic#56706) [Maps] Autocomplete for custom color palettes and custom icon palettes (elastic#56446) [Alerting] make actionGroup name's i18n-able (elastic#57404) fixed flaky test (elastic#57490) ... # Conflicts: # src/legacy/core_plugins/telemetry/public/components/__snapshots__/telemetry_form.test.js.snap # src/plugins/telemetry/public/components/telemetry_management_section.tsx
kobelb
added a commit
that referenced
this pull request
Feb 13, 2020
…ers (#56922) (#57523) * Add autocomplete="off" for input type="password" to appease the scanners * Using new-password instead of off for the new/confirm passwords * Setting more autoComplete="new-password" attributes Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds the
autocomplete="off"attribute to password fields to ensure that outdated scanning tools won't create false positive results. This attribute is a hint to the browser -- respecting it is not mandatory -- and the vast majority of browsers ignore it in the case of password fields.Allowing the use of autocomplete on password fields is expected behavior, as it facilitates the use of password managers, which is a net gain for user security.
Reference: The autocomplete attribute and login fields | MDN