WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 3 weeks ago

#41136 new defect (bug)

Login forms lacking autocomplete attributes

Reported by: johnjamesjacoby Owned by:
Milestone: 6.0 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: needs-patch
Focuses: accessibility, administration Cc:

Description (last modified by ocean90)

The security team received a report via HackerOne related to autocomplete attributes being omitted from various form fields in wp-login.php. Since there is no direct security issue (and we've handled this type of improvement publicly previously) I'm creating a new ticket here to continue that.

In my research, form fields in wp_login_form(), show_user_form(), and show_blog_form() need similar scrutiny and improvements.

Related: #24364

Attachments (1)

41136.patch (2.4 KB) - added by dhanendran 4 years ago.
autocomplete attribute added

Download all attachments as: .zip

Change History (11)

#1 @netweb
5 years ago

Related: #buddypress6269 "Add autocomplete="off" to bp-login widget password field"

There's some useful prior research links in the above ticket

#2 @ocean90
4 years ago

  • Description modified (diff)

@dhanendran
4 years ago

autocomplete attribute added

#3 @afercia
4 years ago

  • Component changed from Users to Login and Registration

This ticket was mentioned in Slack in #design by karmatosed. View the logs.


4 years ago

#5 @melchoyce
4 years ago

What UX feedback is needed here?

This ticket was mentioned in Slack in #design by karmatosed. View the logs.


3 years ago

#7 @melchoyce
3 years ago

  • Keywords ux-feedback removed

Removing ux-feedback for now. Feel free to re-add if the ticket picks back up.

#8 @rianrietveld
3 weeks ago

  • Focuses accessibility administration added

Hey all, I'd like to give this ticket some attention and priority.

WCAG on autocomplete
For WCAG 2.1 AA autocomplete values are required in login forms.
That's success criterion 1.3.5 Identify Input Purpose
https://www.w3.org/WAI/WCAG21/quickref/?showtechniques=131%2C412#identify-input-purpose.

In the new WCAG 2.2 A an additional success criterion wil be added to help users remember their login data, and using autocomplete is one of the techniques for that.
That's success criterion 3.3.7 Accessible authentication https://www.w3.org/WAI/standards-guidelines/wcag/new-in-22/#337-accessible-authentication-a

The release of 2.2 is planned for June 2022. Both success criteria are added to help people with a cognitive disability.

So instead of adding autocomplete="off", as the patch suggests the values should be:

<input type="text" name="log" id="user_login" autocomplete="username" class="input" value="" size="20" autocapitalize="off" >

and

<input type="password" name="pwd" id="user_pass" autocomplete="current-password" class="input password-input" value="" size="20" >

All autocomplete values are listed on MDN: [The HTML autocomplete attribute](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete)

Discussion:
As the autocomplete values are stored in the browser, this may result in security issues when users share their computers or use a computer in a public place like a library.

One way or another, we have to make a decision about adding autocomplete values. This ticket could serve as reference and documentation about what we decide.

Last edited 3 weeks ago by rianrietveld (previous) (diff)

This ticket was mentioned in Slack in #accessibility by rianrietveld. View the logs.


3 weeks ago

#10 @sabernhardt
3 weeks ago

  • Milestone changed from Awaiting Review to 6.0
Note: See TracTickets for help on using tickets.