Am 02.01.18 um 17:22 schrieb Gijs Kruitbosch:
On 01/01/2018 20:08, Jonathan Kingston wrote:
We have the ability to turn off the whole login manager within Firefox
preferences: "Remember logins and passwords for web sites" but no way to
prevent autofill.
There's an about:config pref, as [1] points out, which does this.
I wonder if there's a way to require user interaction only when pages
contain non-same-origin scripts. Then again, it's not clear that that'd
be "worth it", in the sense that that would actually significantly
reduce the number of pages where user interaction would be required, nor
that it wouldn't make the browser's behaviour less understandable to end
users (as we would sometimes autofill without interaction, and sometimes
wouldn't).
In other form code we also care about whether form fields are focusable
(ie visible, editable etc.), which is something we could also
potentially use to mitigate these attacks, though it could probably be
bypassed by having a visible element that is positioned "offscreen" in
an overflow:hidden container, or something of that sort.
~ Gijs
Or could we start blocking tracking-providers with this practice in general?
As much as this sounds like an arm-race, these providers are only
valuable if they're on a lot of sites, so this might actually be a
winnable arm-race.
Axel
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
