You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@struts.apache.org by "Jim Manico (JIRA)" <ji...@apache.org> on 2009/07/19 01:31:59 UTC
[jira] Updated: (STR-3189) Enable the Autocomplete tag by default
[ https://issues.apache.org/struts/browse/STR-3189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jim Manico updated STR-3189:
----------------------------
Description:
I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest release of the 1.x Struts line.
I would like the ability to disable autocomplete in an HTML form. Sadly (from a security perspective), most every browser enables autocomplete by default. We need to explicitly attribute our form html with autocomplete="off" - in both the form and form element tags of HTML 4.01+ pages. This is a very basic security protection. Wanting to preventing the browser from caching credit card number, PII and other critical user data is a no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. Finally for the first time the main Struts 1.3.x branch supports the autocomplete tag (which defensive coders need - just to disable this feature via html!). But it's still not enabled by default in Struts! I need to modify the struts tld xml file in order to enable the autocomplete form and form element attribute; which takes me off the main branch of Struts 1.3.x.
I implore you to consider enabling autocomplete by default, so we can turn it off - without having to customize our version of struts 1.3.x! The best security is "secured by default", and this request moves us in that direction.
Jim Manico
OWASP, Intrinsic Security Working Group
was:
I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest release of the 1.x Struts line.
I would like the ability to disable autocomplete in an HTML form. This is really a basic security principle that all modern browsers support even when rendering 4.01 transitional. Sadly, by default, most every browser enables autocomplete. We need to explicitly say autocomplete="off" in both the form and form element tags in order to gain this very basic security protection. Preventing the browser from caching credit card number and the like is a no-brainier; appsec 101.
Now, the recent 1.3.10 release made a great stride in this direction. Finally for the first time the main Struts 1.3.x branch supports the Autocomplete tag (just so we can disable this feature). But it's still not enabled by default! I need to modify the tld in order to enable the autocomplete form and form element attribute; which takes me off the main branch of Struts 1.3.x.
I implore you to consider enabling autocomplete by default, so we can turn it off - for real! The best security is "secured by default".
Jim Manico
OWASP, Intrinsic Security Working Group
> Enable the Autocomplete tag by default
> --------------------------------------
>
> Key: STR-3189
> URL: https://issues.apache.org/struts/browse/STR-3189
> Project: Struts 1
> Issue Type: Improvement
> Components: Tag Libraries
> Affects Versions: 1.3.10
> Environment: All
> Reporter: Jim Manico
>
> I'm a big fan of Struts 1.3.x. I currently use Struts 1.3.10, the latest release of the 1.x Struts line.
> I would like the ability to disable autocomplete in an HTML form. Sadly (from a security perspective), most every browser enables autocomplete by default. We need to explicitly attribute our form html with autocomplete="off" - in both the form and form element tags of HTML 4.01+ pages. This is a very basic security protection. Wanting to preventing the browser from caching credit card number, PII and other critical user data is a no-brainier; appsec 101.
>
> Now, the recent 1.3.10 release made a great stride in this direction. Finally for the first time the main Struts 1.3.x branch supports the autocomplete tag (which defensive coders need - just to disable this feature via html!). But it's still not enabled by default in Struts! I need to modify the struts tld xml file in order to enable the autocomplete form and form element attribute; which takes me off the main branch of Struts 1.3.x.
> I implore you to consider enabling autocomplete by default, so we can turn it off - without having to customize our version of struts 1.3.x! The best security is "secured by default", and this request moves us in that direction.
> Jim Manico
> OWASP, Intrinsic Security Working Group
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.