Actions
Bug #98492
closed
Mitigate Browser "Spell-Jacking"
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Security
Target version:
-
Start date:
2022-10-01
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
10
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:
Description
The following issue has been brought to the attention of the security team.
Source: https://www.otto-js.com/news/article/chrome-and-edge-enhanced-spellcheck-features-expose-pii-even-your-passwords
Having manually(!) enabled "enhanced spell checking" in browsers, can lead to scenarios that password data is sent to remote services that actually take care of the spell checking. Since this issue is cause by browsers and the determination of "confidentiality" is fuzzy here, this issue is handled in public. For instance, any content that is only available in an intranet would be considered confidential, it's not only about password data.
The suggestion for the TYPO3 core is:
- https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes/spellcheck
- use HTML attr
spellcheck="false"for any<form>that is used for credentials - use HTML attr
spellcheck="false"for any<input type="password">in case it might be used in combination with other content that should be spell checked (in terms of UX)
Updated by 
Updated by 
Updated by
Actions