> > Even if the other ways are uncommon, they will probably get picked up once > this is gone. > I am aware of one way that is not being misused - a > React-and-Redux-Form-based website had to find out whether autofill > happened because otherwise the login submit button remains disabled and the > user had to delete one of the autofilled values and re-enter it. >
PhistucK@: Thank you for a detailed description. After removing these I think it's necessary to block the side channel what you said. WDYT? > ☆*PhistucK* > > > On Tue, Aug 17, 2021 at 9:01 AM Jaeyong Bae <[email protected]> wrote: > >> Hello, PhistucK >> >> > It can be used by a side channel to extract information from autofill >>> before the user decides to disclose it to the website. >>> Does "information" mean actual data (credentials)? Or is the fact that >>> something was autofilled also bad to be exposed (because it basically means >>> the user probably has an account on that website)? >>> (I ask because there are other ways to find out about the latter) >>> >> >> What I meant was the latter. I wonder the other way is common. >> >> >>> ☆*Phistuc* >>> >>> On Mon, Aug 16, 2021 at 5:52 PM Mike Taylor <[email protected]> >>> wrote: >>> >>>> Hi Jaeyong, >>>> >>>> On 8/16/21 10:27 AM, Jaeyong Bae wrote: >>>> >>>> >>>> *Contact emails *[email protected] >>>> >>>> Summary >>>> Remove pseudo classes :-internal-autofill-previewed and >>>> :-internal-autofill-selected. >>>> Un-expose these two classes and make them available for UA stylesheets >>>> only. >>>> >>>> Each class represents: >>>> :-internal-autofill-previewed class - fields are filled when hovering >>>> over an autofill suggestion >>>> :-internal-autofill-selected - fields are filled with a selected >>>> autofill suggestion >>>> >>>> Motivation >>>> Although being -internal-prefixed pseudo classes, these two pseudo >>>> classes have erroneously been exposed for author use. It can be used by a >>>> side channel to extract information from autofill before the user decides >>>> to disclose it to the website. Those pseudo classes should be only allowed >>>> in UA sheets. -internal prefix is used means that we did not intend to >>>> expose in the first place. So, there are no :-webkit-* versions of those. >>>> >>>> Interoperability and Compatibility Risk >>>> Edge: Not supported >>>> Firefox: Not supported >>>> Safari: Not supported >>>> >>>> Alternative implementation suggestion for web developers >>>> The default styling does not get overridden in preview state and >>>> selected state. >>>> Only can use :-webkit-autofill pseudo-classes for autofilled state >>>> (matched input elements which have been autofilled by user agent). >>>> >>>> Usage information from UseCounter >>>> There is no estimated data from UseCounter. >>>> >>>> <thinking outloud> >>>> >>>> Do we think its worth adding one? Or perhaps looking for usage in >>>> HTTPArchive as a proxy? I suspect fallout from removing this feature would >>>> be pretty minimal - designs might look different in some cases, so perhaps >>>> side-channel concerns are overriding here. Not sure if outreach would even >>>> be worthwhile, were we to find a popular site or library using this, since >>>> there's no recommended alternative. >>>> >>>> </thinking outloud> >>>> >>>> Entry on the feature dashboard >>>> https://chromestatus.com/feature/5778154275733504 >>>> >>>> Is there a crbug where interested folks can follow along? >>>> >>>> thanks, >>>> Mike >>>> >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "blink-dev" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bc31bca8-7b9d-b233-cece-f39f6fc38592%40chromium.org >>>> >>>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/bc31bca8-7b9d-b233-cece-f39f6fc38592%40chromium.org?utm_medium=email&utm_source=footer> >>>> . >>>> >>> >> thanks , >> Jaeyong >> > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/88da1303-005b-49c7-bf3d-5af2d32d8b9dn%40chromium.org.
