Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-29114

Make login page compatible with some security recommendations

    Details

    • Release Notes Summary:
      Autocomplete is disabled on the login page.
    • Tags:
    • Team:
      FG
    • Sprint:
      nxFG 11.1.13
    • Story Points:
      1

      Description

      Some security tools require the login/password fields of a login page to have autocomplete="off".

      With most browsers this is not a usability issue because they still detect these fields and make them usable with password managers.

      This obsolete requirement from security tools is often due to an incorrect reading of https://wiki.owasp.org/index.php/Testing_for_Vulnerable_Remember_Password_(OTG-AUTHN-005) and in particular forgetting to read the part that says:

      Since early 2014 most major browsers will override any use of autocomplete="off" with regards to password forms and as a result previous checks for this are not required and recommendations should not commonly be given for disabling this feature.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 hour
                  1h

                    PagerDuty

                    Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.