Opened 2 years ago
Last modified 3 months ago
#43886 new feature request
Chrome autofills password over "new password" field when updating user.
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Users | Keywords: | 2nd-opinion needs-patch |
| Focuses: | administration | Cc: |
Description
Chrome, the wonderful browser that it is, is super helpful.
When editing a user (even your own), and attempting to update the password with a nice strong one, Chrome will (helpfully) insert *your* old password into the new password field, right when you click update. (You can tell, because the length of the password will change to your passwords length).
Incognito Mode fixes it, apparently, and uninstalling Chrome in favor of Firefox seems to work too.
From what I've been able to guess, it's because of Chrome's unique implementation of completely ignoring autocomplete="off" https://bugs.chromium.org/p/chromium/issues/detail?id=370363#c7 and suggests autocomplete="new-password" instead.
Alternatively, <form autocomplete="off"> could possibly work. https://stackoverflow.com/questions/15738259/disabling-chrome-autofill
It does seem to make sense to disable autocomplete completely on the edit-user form, since it's not actually useful to fill in some random user's info with info from your browser...especially passwords...despite what Chrome seems to believe.
Firefox 70 implements
autocomplete=new-passwordnow too, and I think this will be a nice UX improvements well.I will submit patches for password reset and user registration fields.