[imp] Autocomplete option in $conf[]

Oliver Schulze L. oliver at samera.com.py
Wed Feb 19 16:03:21 PST 2003 

Eric Rostetter wrote:

>Quoting "Oliver Schulze L." <oliver at samera.com.py>:
>
>  
>
>>Hi,
>>I'm writting about the 'autocomplete=off' parameter that can be inside
>>a <form> tag.
>>    
>>
>
>Been discussed before, and added to the FAQ.
>
>  
>
>>I know that using autocomplete is not xhtml compliant, but since many
>>modern internet browser have the availability to save users's passwords
>>in public computers, I think this issue must be configurable in the file
>>/imp/config/conf.php following a big warning that enabling it will
>>result is
>>a non xhtml compliant page.
>>    
>>
>
>So that Horde/IMP won't save their password, but every other web site
>the go to will???  If this is a public computer, then the option should
>be disabled in the browser, so it won't work with any page.  Trying to
>change pages/sites one-by-one won't give any real security.  Disabling
>it in the browser will.
>
>  
>
>>I think that in the case of public computers, this is a security issue
>>when the public
>>computer is not configured properly.
>>    
>>
>
>But it only fixes one hole out of thousands, and is hardly worth worrying
>about.  If you run a public facility, make sure it is configured correctly.
> 
>  
>
>>What do you think about it?
>>    
>>
Hi Eric,

>Well, from a Horde point of view, I'm fairly neutral.  Don't really care much.
>But from a security point of view, this misses the boat totally.  It is 
>completely the wrong way to tackle a security issue...
>
I'm abandoning my pursue to having this options enabled. I did't know it 
was
a sensitive issue.

My policy is that when I found a sensitive issue in a OSS project, then 
I let
the Project's owners decide and I stop asking for that sensitive issue.

The same happened to me when I was doing a litle patch for Mozilla to
have Ctrl+Enter in the URL bar like IE. When I realize that it was a
really *big* sensitive issue, I stopped asking for my patch to be
accepted (and started using my own patch)

I don't want people to start taking side about this issue, so I say:
"Peace, and let it the way it is"
I don't want to be the responsible for starting the fire :-)

Regards
Oliver

-- 
Oliver Schulze L.
<oliver at samera.com.py>

More information about the imp mailing list