Opened 4 months ago
Last modified 4 months ago
#61702 new enhancement
Post via email: Login Name field triggers Safari's login autocomplete
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | Administration | Keywords: | |
| Focuses: | Cc: |
Description
In Safari, when navigating to Settings > Writing, the "Post via email" Login Name field is auto-selected and the browser's autofill popup appears for the field (Safari's web form autofill is enabled by default). This field is selected/focused automatically by the browser upon navigating to the page. To reproduce, the user must have credentials saved for the WordPress site using Safari's password management feature.
After some testing, the autofill popup appears to be triggered by the term "Login" in the field label. When the label is changed to something more generic (like "User"), it isn't automatically focused and the popup does not appear.
Why is this a problem?
IMHO, this issue stems from the prominence of this popup, which suggests the user should select a credential from the list. However, this isn't an actual login form (as password managers may assume), so autofilling these fields does not make sense.
Where things could go wrong is that these are text fields stored as clear text in wp_options. If a user were to unwittingly click an available login fill option and save the form, then their site credentials could be unintentionally stored in the mailserver_login and mailserver_pass fields.
Even if how Safari handles this field is the underlying issue, I think there could be an opportunity for WordPress to make this more user friendly, and to treat the field differently from a login form.
Why not use autocomplete="off"?
While most browsers offer partial support for this option, for security and accessibility reasons it is largely ignored for fields that relate to logins/credentials.
Related: #22942, #61332