Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> So the browser would have to determine if the item is visible to the user, which is not trivial

This is not terribly difficult, browsers need to know what is visible because they have to actually display it. If an element isn't drawn it shouldn't be autofilled.



> If an element isn't drawn it shouldn't be autofilled.

So if a form is too long and you need to scroll, all those fields you can't see won't be auto-filled? Sounds pretty terrible IMO.


To me (as a non autofill user), the published bug sounds way more harmful than a little inconvenience.


It's not just an inconvenience – it's broken and unexpected UI behaviour.


Well why not have it autofill on-draw?


It'd be easy to move the hidden elements on to the screen when the user clicks the submit button, so they'd be filled in and the form would then be submitted, and the information 'phished'.

The solution to this problem is to inform the user which fields will be completed by autofill, with a "not currently shown" highlight on any fields that are currently off the screen so the user understands what's happening.


Well, then simply make them height:0px or put a <div> with a white background over it. Change the input and make it text-color: white; background-color: white; Change it's z-index to be lower than your other elements, etc.


opacity: 0.01;


This makes the case that auto fill just ain't that secure, I guess if we use it we just need to accept that.


There's no need to "just accept" that it's not secure. We need to make it secure. This is a tedious/hard problem, yes. IMHO we've (people) solved tougher problems :)


  <div style="font-family: Custom non-printing font 101">
    <input type="text" name="address"/>
    <input type="text" name="ssn"/>
  </div>


Adobe made a font like this, adobe blank: https://github.com/adobe-fonts/adobe-blank


http://www.catb.org/jargon/html/F/Flyspeck-3.html


Sure, but then the attacker can draw the fields within the 'visible' document, but below the 'fold'. If the browser chooses not to fill fields like that, it breaks a lot of autofill on long pages. Those two cases aren't significantly different.


Not necessarily. The browser often paints a much larger area than fits in the viewport, then hands it off to the GPU. (This can be cause performance issues for very tall scrollable pages, which is why I've run into it.)


What if another element is drawn in front of it, and though? I feel like there are a huge number of possible tricks to hide elements on page and trick the browser into thinking they're visible.


How many pixels does an input need to occupy before it's considered "visible"?


Problem is that a form might be longer or wider than the viewport, which would result in "hidden" elements in genuine browsers too.


> Should autofill skip regular form elements that are just a little below the viewport?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: