![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
ventaAn question about web forms and security...
When filling in forms (I use FireFox), it's often possible to hit the down arrow and get a list of things you previously typed into that field. This is kind of handy, mostly, and results in me not having to type my name or email address out a lot.
Forms taking things like credit card details don't usually do this - for obvious reasons - and I assume the existence of some sort of 'nocache' attribute which the form-writer can set on the fields which contain information which should be a little more secure.
Except today I filled in an entire payment form (card number, expiry date, security code, the lot) from cached information based on me having filled the same form out on that website months ago. This strikes me as Not Good.
I intend to write to the site in question and tell them I think they're a bit rubbish... but I'd like to be sure I know what I'm talking about first. Am I right about the form attribute ? Am I totally wrong, and this is something which FireFox implements wrongly and the site itself can't be blamed for ?
Informed opinion welcome :)
When filling in forms (I use FireFox), it's often possible to hit the down arrow and get a list of things you previously typed into that field. This is kind of handy, mostly, and results in me not having to type my name or email address out a lot.
Forms taking things like credit card details don't usually do this - for obvious reasons - and I assume the existence of some sort of 'nocache' attribute which the form-writer can set on the fields which contain information which should be a little more secure.
Except today I filled in an entire payment form (card number, expiry date, security code, the lot) from cached information based on me having filled the same form out on that website months ago. This strikes me as Not Good.
I intend to write to the site in question and tell them I think they're a bit rubbish... but I'd like to be sure I know what I'm talking about first. Am I right about the form attribute ? Am I totally wrong, and this is something which FireFox implements wrongly and the site itself can't be blamed for ?
Informed opinion welcome :)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-06-08 10:32 am (UTC)It's all in your browser. Under the preferences (I'm on a Mac so if you are on Doze it will vary.) Privacy, remember search and form history.
You're not the only one to have found this: http://support.mozilla.com/en-US/forum/1/7920
You can uncheck this - but this is sometimes rather handy.
So, try http://autofillforms.mozdev.org/ which will crypt the settings via your master password.
What? you haven't got one?
do it now : set a Master Password for your profile (Preferences, Security, Use a Master Password)
:)
(no subject)
From:(no subject)
From:no subject
Date: 2010-06-08 10:37 am (UTC)It's down to the user agent what is cached and how. I just switch it off, especially since I use different email addresses for different sites anyway.
In Firefox you can generally highlight a chunk of site and right-click > "View selection source" to see the HTML. It might be possible to use Firefox-specific and/or javascript tricks to prevent caching.
no subject
Date: 2010-06-08 10:38 am (UTC)(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:no subject
Date: 2010-06-08 10:45 am (UTC)The behaviour you want is accomplished by setting the property autocomplete = "off" on the <form> element.
(no subject)
From:(no subject)
From:(no subject)
From:... might not work...
From:Re: ... might not work...
From:Re: ... might not work...
From:Re: ... might not work...
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From:(no subject)
From: