Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7536

As an admin, I need to be able to toggle form autocompletion on and off

XMLWordPrintable

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Problem Definition

      Online systems need to be more secure every day, and we should make Fisheye/Crucible block auto-filling password fields even if the web browser allows this.

      Suggested Solution

      According to w3schools HTML form tags can have the autocomplete attribute set to on or off.

      Therefore, the Fisheye administration panel should have the option to toggle form autocompletion on and off.

      Workarounds

      Workaround 1

      Set the browser to be managed in the domain controller and disable the password cache in the browser.

      In Google Chrome you would need to:

      1. Open chrome://password-manager/passwords
      2. On the left menu, click on Settings
      3. On the main screen, turn off the Offer to save passwords and Log in automatically options.
      4. (Optional) Go to chrome://password-manager/passwords and delete all previously saved passwords.

      Workaround 2

      Configure a reverse proxy to manipulate the request. The autocomplete="off" attribute is typically used in HTML form or input elements, so, the HTTP response body that contains the HTML content sent to the client's browser would need to be manipulated.

      For NGINX, the ngx_http_sub_module could be used for simple replacements. Alternatively, the more powerful subs_filter module could also be used.

      Sample implementation:

      http {
    server {
        location / {
            proxy_pass http://backend_server;
            subs_filter_types text/html;
            subs_filter '<input type="password"' '<input type="password" autocomplete="off"' ir;
        }
    }
}

      This configuration sets up the subs_filter to search for <input type="password" in the response body of type text/html and replace it with <input type="password" autocomplete="off", aiming to disable autocomplete for password fields.

      Considerations and Limitations:

      • Browser Compliance: Modern browsers might ignore the autocomplete="off" attribute for password fields to enhance user experience, especially in login forms. Therefore, this method might not be effective in all cases.
      • Security Implications: Disabling autocomplete for passwords can be seen as reducing user experience and potentially encouraging weaker passwords.
      • Performance: Modifying response bodies can add processing overhead to the proxy, potentially impacting performance. Ensure that the proxy server is adequately resourced and that the modifications are as efficient as possible.
      • Complexity: The example provided is relatively simplistic and might not cover all cases in real-world HTML forms. This implementation would need to be tested thoroughly to ensure it works reliably. We've seen different degrees of success with this method, hence the importance of properly testing in each specific environment.

            Unassigned Unassigned
            fkraemer Felipe Kraemer
            Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: