form security stuff
Darin Adler
darin at apple.com
Fri Apr 18 09:06:19 CEST 2003
On Friday, April 18, 2003, at 7:22AM, Dirk Mueller wrote:
> Besides verbose code that maintains this state,
> there is no place that actually queries it and uses it.
The code that implements the rest of this feature is in KWQ. You might
want to implement a similar feature for Konqueror.
> How do you use the fact that it is a secure form or has a password
> field?
>
> If this is just about not storing user entered input of secure or
> password
> fields in session history, then this can be nicely encapsulated in
> HTMLGenericFormElementImpl.. so I wonder that there *must* be a
> different
> reason. However, I cannot imagine one.
Like WinIE, we now don't save anything on a page that includes a secure
form or a password field. I don't just mean that we don't store the
user-entered input, but rather that we don't store these pages in the
cache at all. That's because such pages often contain information about
the user, not just typed into the fields but in the default values and
outside the form itself.
If I recall correctly, some of this was the result of specific security
requests from a bank that was deciding whether to enable access for
Safari users. But the change also makes us compatible with sites that
have implicit assumptions about going back to such pages and having
them not be cached due to WinIE's behavior.
We did have some debate about this (I remember a note from Maciej
saying, "The Win IE behavior seems like overkill to me.") but in the
end we decided to emulate WinIE in this respect.
-- Darin
More information about the Khtml-devel
mailing list