Problem/Motivation

Currently, dadata_api_settings form adds two input: api_key and secret. Those used for entering and edit API credential. Since those fields doesn't have disabled autocomplete, browser will cache those values on client side.

As a result, browser will autocomplete and suggest those values on other sites. This is not directly expose them, but makes it possible if user doesn't clear those values from inputs.

Steps to reproduce the issue

1. Open configuration form: /admin/config/services/dadata-api
2. Enter API credential and submit the form.
3. Go to this codepen: https://codepen.io/Niklan/pen/mdVzRKB or any other site which has input with names api_key and secret. The browser will expose keys as suggestions.

Proposed resolution

Add autocomplete="off" to these inputs to prevent browser cache values.

Remaining tasks

Review patch.

CommentFileSizeAuthor
#2 3159549-2.patch804 bytesniklan

Comments

Niklan created an issue. See original summary.

niklan’s picture

niklan
Primary language Russian
Location Russia, Perm
commented
Status: Active » Needs review
StatusFileSize
new 3159549-2.patch804 bytes
niklan’s picture

niklan
Primary language Russian
Location Russia, Perm
commented
Issue summary: View changes
niklan’s picture

niklan
Primary language Russian
Location Russia, Perm
commented
Title: Do not cache API keys on client » Prevent caching API keys on client

walkingdexter’s picture

walkingdexter commented
Status: Needs review » Patch (to be ported)

Committed, thanks!

  • WalkingDexter committed b1f2c34 on 7.x-1.x 
    Issue #3159549 by Niklan, WalkingDexter: Prevent caching API keys on...
walkingdexter’s picture

walkingdexter commented
Status: Patch (to be ported) » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.