[NXP-29114] Make login page compatible with some security recommendations - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Task
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 9.10-HF44, 10.10-HF27, 11.1, 2021.0
Component/s: Login Page

Release Notes Summary:
Autocomplete is disabled on the login page.
Tags:
- nxFG
- security
Team:
FG
Sprint:
nxFG 11.1.13
Story Points:
1

Description

Some security tools require the login/password fields of a login page to have autocomplete="off".

With most browsers this is not a usability issue because they still detect these fields and make them usable with password managers.

This obsolete requirement from security tools is often due to an incorrect reading of https://wiki.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) and in particular forgetting to read the part that says:

Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature.

Attachments

Issue Links

is duplicated by

NXP-28003 Auto complete on login form should be set to off by default

Resolved

NXP-29069 Add autocomplete off to default login screen

Resolved

is related to

NXDOC-862 Add howto turn off autocomplete on login form

Resolved

Is referenced in

PR for master: #4294

PR for master: #4597

Activity

People

Assignee:

Florent Guillaume

Reporter:

Florent Guillaume

Participants:

Florent Guillaume, Jenkins, Support Tech User

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

2020-05-15 09:00

Updated:

2021-01-19 16:56

Resolved:

2020-05-15 15:34

Time Tracking

Estimated:

Not Specified

Remaining:

Logged: