From 5425c1a856badf46d9727cba585b8ab9c1a0e735 Mon Sep 17 00:00:00 2001
From: Antoine Martin <totaam@xpra.org>
Date: Mon, 15 Jul 2024 10:51:30 +0700
Subject: [PATCH] try harder to prevent password input with insecure settings

---
 html5/connect.html | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/html5/connect.html b/html5/connect.html
index 9fb0637c..19f24e20 100644
--- a/html5/connect.html
+++ b/html5/connect.html
@@ -687,7 +687,7 @@ <h4 class="panel-title">Advanced options</h4>
         if (username) {
           url += username;
         }
-        if (password) {
+        if (password && is_password_safe()) {
           url += ":"+password;
         }
         if (username || password) {
@@ -943,8 +943,16 @@ <h4 class="panel-title">Advanced options</h4>
           return webtransport_input.checked || ssl_input.checked || aes_input.checked;
         }
         function is_password_safe() {
+          if (insecure_input.checked) {
+            return True;
+          }
+          if (!has_session_storage) {
+            // don't show the password on the URL
+            // which can be seen in the top bar and captured in the server logs
+            return False;
+          }
           const host = document.getElementById("server").value;
-          return is_secure_connection() || insecure_input.checked || Utilities.isSafeHost(host);
+          return is_secure_connection() || Utilities.isSafeHost(host);
         }
 
         function update_password_input() {
@@ -952,6 +960,10 @@ <h4 class="panel-title">Advanced options</h4>
           password_input.disabled = !safe;
           if (!safe) {
             password_input.value = "";
+            password_input.title = "Typing a password would be insecure with these settings";
+          }
+          else {
+            password_input.title = "Session Password";
           }
         }
         insecure_input.onchange = function () {
@@ -1491,18 +1503,22 @@ <h4 class="panel-title">Advanced options</h4>
           let el = $("#" + watched_element);
           el.on("change", function () {
             Utilities.log(watched_element, "changed");
+            update_password_input();
             host_address_changed();
           });
           el.on("paste", function () {
             Utilities.log(watched_element, "pasted");
+            update_password_input();
             host_address_changed();
           });
           el.on("keyup", function () {
             Utilities.log(watched_element, "key event");
+            update_password_input();
             cancel_changed_timer();
             target_changed_timer = setTimeout(host_address_changed, ajax_delay);
           });
           el.on("keydown", function () {
+            update_password_input();
             cancel_changed_timer();
           });
         }