On Sun, Jan 21, 2018 at 6:29 PM, Jonathan Kingston <j...@mozilla.com> wrote: >> But this vector is not realistic. The website _included_ the thirdparty. >> They want this tracking to occur. If we blocked invisible login forms from >> autofill - the website will make the forms unobtrusively visible so they get >> autofilled. > > Do we know this? My understanding was most research suggested trackers use > every technique possible that go undetected. If these scripts then obviously > degrade user experience then users complain to the site owner. > These scripts could already do many malicious things anyway.
Well, there are already websites that stick an unobtrusive login form in the top header of the site; if my intention was to track users by getting around a browser defense that blocked my tracking, and that could do it, I think it'd be easy for me to integrate that design. Just conjecture. >> We can disable autofill - but that kind of sucks from a usability >> standpoint, > > Given we disable this on HTTP pages and also behave differently with CC and > address autofill; why should this have a different experience? I think I missed that we already disable autofill on HTTP... >> Maybe there's a compromise. Assume we can detect _when_ a user submits a >> login form that we have autofill data for*. > > I think this makes it much more confusing to be honest. Definitely more complicated. I think the average user experience would remain unchanged though, since most users aren't clearing history in their (non-PBM) browser. -tom _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
