A recent research post[1] have highlighted the need for Firefox to disable autofilling of credentials. The research post suggests web trackers are using autofilling to track users around the web.
Currently we take the stance to require user interaction for addresses and credit card filling, however we don't do this for user credentials. I have raised a bug[2] to tackle this issue, however we should discuss if disabling autofill is the right approach first. As I mention in the bug, Firefox has changed to be a single interaction to show the logins for fields, previously this required two interactions. This change significantly improves the usability of the login manager without having to autofill. We have the ability to turn off the whole login manager within Firefox preferences: "Remember logins and passwords for web sites" but no way to prevent autofill. As part of [2] we could opt to allow users to enable the autofill feature again in the about:preferences. More explanation of the threat can be found on a post by Eric Lawrence[3]. Thanks Jonathan [1] https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1427543 [3] https://textslashplain.com/2017/12/28/taking-off-your-nametag/ _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
