top | item 18983736

(no title)

dare0505 | 7 years ago

It's amazing this still works in Chrome.

Open https://anttiviljami.github.io/browser-autofill-phishing/ , enter some auto-fill info, click "Submit" and monitor your "Network" tab requests. You'll find your browser leaked way more info than those 2 information...

discuss

aquark|7 years ago

We had to deal with this in reverse: we had a form that depending on what you fill in and the settings doesn't show some options.

The browser was submitting the form with auto-fill details that failed the validation checks for those fields. Hard to show an error message for fields the user can't see.

Yes, it is more robust to have code on the server side discard input that isn't expected rather than validate it, but it annoying extra work when those fields have no security impact.

The alternative is to tell the browser not to auto-fill those fields, but doing that feels broken too.

ivanhoe|7 years ago

scary... is there any valid scenario where user expects browser to auto-fill the hidden fields?

meandmycode|7 years ago

Just pretty difficult to ensure a field really is visible to the user, the problem is it'll always have some weaknesses and those who would abuse it will find those weaknesses