[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Outstanding critical issue for KDE 2.2
From:       Malte Starostik <malte () kde ! org>
Date:       2001-08-01 21:18:01
[Download RAW message or body]

Am Mittwoch, 1. August 2001 23:01 schrieb Kurt Granroth:
> On Wednesday 01 August 2001 01:18 pm, Malte Starostik wrote:
> > Forms can use an attibute ("nocomplete" IIRC, dunno exactly) to disable
> > completion for some fields. That attribute is honoured by both IE and
> > KHTML, any other text field is completed. But I agree, information
> > entered into SSL forms should not be stored.
>
> Actually, you agree to something I did not say ;-)  I *like* having the
> autocompletion even in SSL forms.  90% of entries on SSL forms are name,
> email address, snail address, and the like.  Those are a PITA to write
> everytime so the autocompletion is a huge timesaver.  Those entries are
> also fairly public in that I don't mind if anybody sees them.
Good point actually, now I agree with something you did say ;}

> I will admit that it's disconcerting to see credit card numbers written to
> the formcompletions cache, though.  Sure, those sites are "broken".. but
> that's not much of an excuse.
Hmm, yes, they should turn off autocompletion for those fields...

> On the other hand, there *is* some modicum of security still in place.  My
> $HOME/.kde2 directory and formcompletions file are readable only by me (and
> root).  If somebody were to crack my system, then the info stored in
> formcompletions would be the least of my worries since I also store all of
> my passwords to all of the ecommerce sites I go to on my computer.
Alright, what remains is those "broken" sites. OTOH the whole thing is an IE 
extension and not all sites are "developed for IE", even if most are.
I'd personally prefer a confirmation message box before storing completion 
items for SSL secured sites. As this is not possible, I consider it the 
safest way to disable completion there. Grr, disagreeing to myself again :)
<evilremark>And well, I don't have a CC, so actually, why bother at 
all</evilremark>
Thing is, we probably will get bug reports if we blindly store such data into 
formcompletions........
Please, someone help fix my confusion now :)

-- 
Malte Starostik
PGP: 1024D/D2F3C787 [C138 2121 FAF3 410A 1C2A  27CD 5431 7745 D2F3 C787]

[prev in list] [next in list] [prev in thread] [next in thread]