Make WordPress Core

Opened 20 months ago

Closed 16 months ago

Last modified 15 months ago

#56763 closed enhancement (fixed)

Disable spellcheck for all password fields for better privacy

Reported by: dziudek's profile dziudek Owned by: audrasjb's profile audrasjb
Milestone: 6.2 Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords: needs-dev-note add-to-field-guide has-patch
Focuses: privacy Cc:

Description

According to discovery described in this article: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/

All password fields generated in WordPress should have attribute spellcheck="false". It will prevent browser from sending passwords to the Google Chrome spellchecking service if Enhanced Spellcheck is enabled.

Attachments (2)

0001-Add-spellcheck-false-to-all-password-fields.patch (12.3 KB) - added by dziudek 20 months ago.
Patch for the described issue with password fields
Capture d’écran 2023-01-19 à 09.59.53.png (215.2 KB) - added by audrasjb 16 months ago.
Application Password field

Download all attachments as: .zip

Change History (25)

@dziudek
20 months ago

Patch for the described issue with password fields

This ticket was mentioned in PR #3420 on WordPress/wordpress-develop by dziudek.


20 months ago
#1

This pull request adds spellcheck="false" attributes to all password fields in order to avoid privacy problem described here: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/

In short: browsers like Chrome/Edge with Enhanced Spellchecker enabled (it is disabled by default) can send password fields values to the Google/Microsoft spellchecking services.

Trac ticket: https://core.trac.wordpress.org/ticket/56763

#3 @dziudek
20 months ago

  • Component changed from General to Privacy

#4 @desrosj
19 months ago

  • Component changed from Privacy to Login and Registration
  • Severity changed from major to normal
  • Version trunk deleted

#5 @SergeyBiryukov
19 months ago

  • Milestone changed from Awaiting Review to 6.2

gainesm commented on PR #3420:


19 months ago
#6

I'm good

#7 @fosuahmed
16 months ago

I have checked Github PR. I see changes are made in 8 files and 13 occurrences.

I have searched in my local clone with the text

type="password"

in .php files and found same number files and occurrences. So all change are made properly.
ScreenShot: https://prnt.sc/Eynib0CoHg7y

#8 @audrasjb
16 months ago

  • Owner set to audrasjb
  • Status changed from new to reviewing

It is indeed a recommendation from MDN for elements that can contain sensible information, like password fields.

Self-assigning to test the patch, make sure it covers each occurrence, and hopefully commit.

#9 @audrasjb
16 months ago

  • Keywords commit added

I added two commits to the PR to remove some extra whitespaces.
Tests are passing.

The patch works fine and doesn't introduce any regression.

We're good to go with this implementation :)

#10 @audrasjb
16 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 55094:

Login and Registration: Disable spellcheck for password fields.

This changeset adds spellcheck="false" attribute to various password fields.

The spellcheck global attribute defines whether the element may be checked for spelling errors. The false value indicates that the element should not be checked for spelling errors, which is relevant for a password field.

Furthermore, and as per MDN specs, using spellchecking can have consequences for users' security and privacy. The specification does not regulate how spellchecking is done and the content of the element may be sent to a third party for spellchecking results. Thus, it is recommended to set spellcheck attribute to false for elements that can contain sensitive information. Which is the case for password fields.

Props dziudek, audrasjb, gainesm, fosuahmed.
Fixes #56763.

#11 @audrasjb
16 months ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Reopening as I wanted to commit the Bundled Theme change separately.

#12 @audrasjb
16 months ago

  • Keywords has-patch commit removed

#14 @audrasjb
16 months ago

In 55095:

Twenty Twenty-One: Disable spellcheck for post password field.

This changeset adds spellcheck="false" attribute to various password fields.

Follow-up to [55094].

Props dziudek, audrasjb, gainesm, fosuahmed.
See #56763.

#15 @audrasjb
16 months ago

  • Keywords needs-dev-note add-to-field-guide added

@audrasjb
16 months ago

Application Password field

#16 @audrasjb
16 months ago

Also, we need a patch for Application Passwords (see screenshot above).

#17 @audrasjb
16 months ago

  • Keywords needs-patch added

This ticket was mentioned in PR #3870 on WordPress/wordpress-develop by Spaceshipone.


16 months ago
#18

  • Keywords has-patch added; needs-patch removed

#19 @Spaceshipone
16 months ago

Hello,

I added pull request for application forms.

#20 @audrasjb
16 months ago

  • Resolution set to fixed
  • Status changed from reopened to closed

In 55096:

Application Passwords: Disable spellcheck for password field.

This changeset adds spellcheck="false" attribute to application password field.

Follow-up to [55094], [55095].

Props Spaceshipone.
Fixes #56763.

@audrasjb commented on PR #3870:


16 months ago
#21

Thanks for the PR! Committed in https://core.trac.wordpress.org/changeset/55096

#22 @audrasjb
16 months ago

In 55110:

Upgrade/Install: Disable spellcheck for password field on Setup screen.

This changeset adds spellcheck="false" attribute to Database Password field on the Database Setup screen.

Follow-up to [55094], [55095], [55096].

See #56763.

Note: See TracTickets for help on using tickets.