#56763 closed enhancement (fixed)
Disable spellcheck for all password fields for better privacy
Reported by: | dziudek | Owned by: | audrasjb |
---|---|---|---|
Milestone: | 6.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | needs-dev-note add-to-field-guide has-patch |
Focuses: | privacy | Cc: |
Description
According to discovery described in this article: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
All password fields generated in WordPress should have attribute spellcheck="false"
. It will prevent browser from sending passwords to the Google Chrome spellchecking service if Enhanced Spellcheck is enabled.
Attachments (2)
Change History (25)
This ticket was mentioned in PR #3420 on WordPress/wordpress-develop by dziudek.
2 years ago
#1
This pull request adds spellcheck="false"
attributes to all password fields in order to avoid privacy problem described here: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
In short: browsers like Chrome/Edge with Enhanced Spellchecker enabled (it is disabled by default) can send password fields values to the Google/Microsoft spellchecking services.
Trac ticket: https://core.trac.wordpress.org/ticket/56763
#2
@
2 years ago
Related Github pull request: https://github.com/WordPress/wordpress-develop/pull/3420
#4
@
2 years ago
- Component changed from Privacy to Login and Registration
- Severity changed from major to normal
- Version trunk deleted
#7
@
21 months ago
I have checked Github PR. I see changes are made in 8 files and 13 occurrences.
I have searched in my local clone with the text
type="password"
in .php files and found same number files and occurrences. So all change are made properly.
ScreenShot: https://prnt.sc/Eynib0CoHg7y
#8
@
21 months ago
- Owner set to audrasjb
- Status changed from new to reviewing
It is indeed a recommendation from MDN for elements that can contain sensible information, like password fields.
Self-assigning to test the patch, make sure it covers each occurrence, and hopefully commit
.
#9
@
21 months ago
- Keywords commit added
I added two commits to the PR to remove some extra whitespaces.
Tests are passing.
The patch works fine and doesn't introduce any regression.
We're good to go with this implementation :)
#11
@
21 months ago
- Resolution fixed deleted
- Status changed from closed to reopened
Reopening as I wanted to commit the Bundled Theme change separately.
@audrasjb commented on PR #3420:
21 months ago
#13
Committed in https://core.trac.wordpress.org/changeset/55094
This ticket was mentioned in PR #3870 on WordPress/wordpress-develop by Spaceshipone.
21 months ago
#18
- Keywords has-patch added; needs-patch removed
@audrasjb commented on PR #3870:
21 months ago
#21
Thanks for the PR! Committed in https://core.trac.wordpress.org/changeset/55096
#23
@
20 months ago
Added to misc dev note. Draft: https://make.wordpress.org/core/?p=103089&preview=1&_ppp=36765ffd5f
Patch for the described issue with password fields