Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#61332 new enhancement

Post via email - Password field default value trips Google Chrome warning

Reported by: adamkheckler's profile adamkheckler Owned by:
Milestone: 6.7 Priority: normal
Severity: normal Version:
Component: Administration Keywords: has-patch has-unit-tests
Focuses: Cc:

Description

TLDR: The default "Post via email" password is simply "password", which can trigger a scary-looking popup in Google Chrome.

To reproduce the issue:

  1. In Chrome, go to "chrome://settings/security".
  2. Toggle on the "Warn you if a password was compromised in a data breach" setting.
  3. Spin up a WordPress test site.
  4. In wp-admin, go to Settings > Writing.
  5. Click "Save Changes". No need to change any actual settings.
  6. Observe the attached popup from Chrome.

I believe Chrome thinks I have actually chosen the password "password" and warning me about it, which makes sense. The problem is that this triggers even when I've simply left the "Post via email" settings on their defaults, and only changed the default post category or whatever.

I'm not sure if WP core can do anything about this, but it seemed worth mentioning.

Attachments (1)

Screenshot taken on 2024-05-30 at 20.30.11 UTC@2x.png (93.9 KB) - added by adamkheckler 7 weeks ago.

Download all attachments as: .zip

Change History (5)

This ticket was mentioned in PR #6687 on WordPress/wordpress-develop by @sabernhardt.


7 weeks ago
#1

  • Keywords has-patch has-unit-tests added

Updates schema.php and unit tests

Trac 61332

#2 follow-up: @sabernhardt
7 weeks ago

  • Version 6.5.3 deleted

#22942 might deprecate the feature at some point, but I wonder about just leaving the password empty in schema.php. The value needs to be replaced for proper use anyway.

#3 in reply to: ↑ 2 @psykro
7 weeks ago

Replying to sabernhardt:

#22942 might deprecate the feature at some point, but I wonder about just leaving the password empty in schema.php. The value needs to be replaced for proper use anyway.

I just tested with an empty password, and it doesn't trigger the Chrome warning. I can't think of any reasons why this wouldn't be ok, as you point out, you have to specify actual mail server details for it to work.

#4 @sabernhardt
7 weeks ago

  • Milestone changed from Awaiting Review to 6.7
Note: See TracTickets for help on using tickets.