Bug 1477798 - Treat sensitive @autocomplete field names like 'off' in FormData.jsm. r=Felipe
authorMatthew Noorenberghe <mozilla@noorenberghe.ca>
Thu, 10 Jan 2019 18:49:46 +0000
changeset 510425 c334bf626b6d9366dc5a6d5d6deae9caa276bcea
parent 510424 b9002ded5523510c9926c5450bf101d7cbd0be07
child 510426 64a29845f509717da798cb433ac6ba9dac2ff088
push id10547
push userffxbld-merge
push dateMon, 21 Jan 2019 13:03:58 +0000
treeherdermozilla-beta@24ec1916bffe [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersFelipe
bugs1477798
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1477798 - Treat sensitive @autocomplete field names like 'off' in FormData.jsm. r=Felipe Differential Revision: https://phabricator.services.mozilla.com/D15780
browser/components/sessionstore/test/browser_456342_sample.xhtml
toolkit/modules/sessionstore/FormData.jsm
--- a/browser/components/sessionstore/test/browser_456342_sample.xhtml
+++ b/browser/components/sessionstore/test/browser_456342_sample.xhtml
@@ -22,18 +22,25 @@
 <input type="button" name="button"/>
 <input type="password" name="password"/>
 <input type="PassWord" name="password2"/>
 <input type="PASSWORD" name="password3"/>
 <input autocomplete="off" name="auto1"/>
 <input type="text" autocomplete="OFF" name="auto2"/>
 <input type="text" autocomplete="   OFF   " name="auto5"/>
 <input autocomplete="   off   " name="auto6"/>
+<input autocomplete=" cc-CSC " name="auto7"/>
+<input autocomplete=" NEW-password " name="auto8"/>
 <textarea autocomplete="off" name="auto3"/>
 <select autocomplete="off" name="auto4">
   <option value="1" selected="true"/>
   <option value="2"/>
   <option value="3"/>
 </select>
+<select autocomplete="cc-CSC" name="CSC">
+  <option value="123" selected="true"/>
+  <option value="234"/>
+  <option value="345"/>
+</select>
 </form>
 
 </body>
 </html>
--- a/toolkit/modules/sessionstore/FormData.jsm
+++ b/toolkit/modules/sessionstore/FormData.jsm
@@ -163,16 +163,25 @@ var FormDataInternal = {
 
       // We do not want to collect credit card numbers or past/current password fields.
       if (ChromeUtils.getClassName(node) === "HTMLInputElement") {
         if (CreditCard.isValidNumber(node.value) || node.hasBeenTypePassword) {
           continue;
         }
       }
 
+      // We don't want to collect values from sensitive fields (indicated by the 'autocomplete'
+      // attribute on relevant elements e.g. autocomplete=off).
+      if (node.getAutocompleteInfo) {
+        let autocompleteInfo = node.getAutocompleteInfo();
+        if (autocompleteInfo && !autocompleteInfo.canAutomaticallyPersist) {
+          continue;
+        }
+      }
+
       if (ChromeUtils.getClassName(node) === "HTMLInputElement" ||
           ChromeUtils.getClassName(node) === "HTMLTextAreaElement" ||
           (node.namespaceURI == this.namespaceURIs.xul && node.localName == "textbox")) {
         switch (node.type) {
           case "checkbox":
           case "radio":
             value = node.checked;
             hasDefaultValue = value == node.defaultChecked;