Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add autocomplete attribute to known password fields. #2700

Merged
merged 2 commits into from
Dec 30, 2022
Merged

Add autocomplete attribute to known password fields. #2700

merged 2 commits into from
Dec 30, 2022

Conversation

rfeese
Copy link
Contributor

@rfeese rfeese commented Nov 9, 2022

Description (*)

Add "autocomplete" attribute to password fields on customer-facing forms. This is not really a security issue in my opinion, but this change is intended to help meet PCI attestation requirements. Some vulnerability scanners are known to flag this as an issue. For example: https://www.tenable.com/plugins/nessus/42057

I attempted to use the most appropriate value for the attribute (off or new-password). These changes should not have any noticeable impact on users.

Related Pull Requests

Fixed Issues (if relevant)

  1. Fixes OpenMage/magento-lts#<issue_number>

Manual testing scenarios (*)

  1. Access a customer login screen.
  2. Verify that the password field has an "autocomplete" attribute.

Questions or comments

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All automated tests passed successfully (all builds are green)
  • Add yourself to contributors list

@github-actions github-actions bot added Component: Checkout Relates to Mage_Checkout Component: Customer Relates to Mage_Customer Component: Oauth Relates to Mage_Oauth Component: Persistant Relates to Mage_Persistant documentation Template : base Relates to base template Template : default Relates to base template Template : rwd Relates to rwd template labels Nov 9, 2022
@elidrissidev
Copy link
Member

Could you please setup your git credentials and amend the commits?

@rfeese rfeese force-pushed the disable-password-autocomplete branch from 2d20d77 to a61df5d Compare November 10, 2022 17:26
@fballiano fballiano merged commit 2e84f76 into OpenMage:1.9.4.x Dec 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@addison74 addison74 addison74 approved these changes

@fballiano fballiano fballiano approved these changes

Assignees
No one assigned
Labels
Component: Checkout Relates to Mage_Checkout Component: Customer Relates to Mage_Customer Component: Oauth Relates to Mage_Oauth Component: Persistant Relates to Mage_Persistant documentation Template : base Relates to base template Template : default Relates to base template Template : rwd Relates to rwd template
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rfeese @elidrissidev @fballiano @addison74