Bug 184510

Summary: Implement input-security property (a standardized replacement for -webkit-text-security)
Product: WebKit Reporter: Theresa O'Connor <eoconnor>
Component: CSSAssignee: Aditya Keerthi <akeerthi>
Status: RESOLVED FIXED    
Severity: Normal CC: akeerthi, ap, changseok, clopez, eoconnor, esprehn+autocc, ews-watchlist, glenn, gyuyoung.kim, hi, joepeck, koivisto, kondapallykalyan, macpherson, megan_gardner, menard, pdr, simon.fraser, thorton, webkit-bug-importer, wenson_hsieh, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://github.com/web-platform-tests/wpt/pull/30848
Attachments:
Description Flags
For EWS
none
Patch none

Theresa O'Connor
Reported 2018-04-11 11:26:29 PDT
As (will be) specced in CSS UI Level 4. CSS WG issue: https://github.com/w3c/csswg-drafts/issues/2495
Attachments
For EWS (32.47 KB, patch)
2021-09-15 20:05 PDT, Aditya Keerthi 		no flags
DetailsFormatted DiffDiff
Patch (99.28 KB, patch)
2021-09-16 14:18 PDT, Aditya Keerthi 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Theresa O'Connor
Comment 1 2021-06-30 12:33:22 PDT
It's now specced: https://drafts.csswg.org/css-ui-4/#input-security
Radar WebKit Bug Importer
Comment 2 2021-06-30 12:33:42 PDT
<rdar://problem/79979992>
Aditya Keerthi
Comment 3 2021-09-15 20:05:16 PDT
Created attachment 438315 [details] For EWS
EWS Watchlist
Comment 4 2021-09-15 20:06:11 PDT
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Aditya Keerthi
Comment 5 2021-09-16 14:18:18 PDT
Created attachment 438401 [details] Patch
Antti Koivisto
Comment 6 2021-09-17 22:02:47 PDT
Comment on attachment 438401 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438401&action=review > Source/WebCore/style/StyleAdjuster.cpp:396 > + if (is<HTMLInputElement>(*m_element) && downcast<HTMLInputElement>(*m_element).isPasswordField()) > + style.setTextSecurity(style.inputSecurity() == InputSecurity::Auto ? TextSecurity::Disc : TextSecurity::None); This is not an ideal way to do this because -webkit-test-security is observable. Maybe you could keep this approach and but move this to HTMLInputElement::createInnerTextStyle? Then the mutated -webkit-test-security only affects the shadow tree.
Aditya Keerthi
Comment 7 2021-09-18 14:50:19 PDT
(In reply to Antti Koivisto from comment #6) > Comment on attachment 438401 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=438401&action=review > > > Source/WebCore/style/StyleAdjuster.cpp:396 > > + if (is<HTMLInputElement>(*m_element) && downcast<HTMLInputElement>(*m_element).isPasswordField()) > > + style.setTextSecurity(style.inputSecurity() == InputSecurity::Auto ? TextSecurity::Disc : TextSecurity::None); > > This is not an ideal way to do this because -webkit-test-security is > observable. This implementation was intentional (and reflected in the test `computed-text-security-for-input-security.html` I added). I mentioned the reasoning in the ChangeLog, but will explain again here. I know of at least one script which uses the computed value of `-webkit-text-security` to determine whether or not an input has obscured text. Without making the change here, a password field with `input-security: auto` (which obscures the text) could have `-webkit-text-security: none` in its computed style. This would lead to the script incorrectly assuming that the text is unobscured. Consequently, for compatibility, my patch ensures that the observed value of `-webkit-text-security` matches the `input-security`.
Antti Koivisto
Comment 8 2021-09-18 22:47:00 PDT
Comment on attachment 438401 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438401&action=review >>> Source/WebCore/style/StyleAdjuster.cpp:396 >>> + style.setTextSecurity(style.inputSecurity() == InputSecurity::Auto ? TextSecurity::Disc : TextSecurity::None); >> >> This is not an ideal way to do this because -webkit-test-security is observable. >> >> Maybe you could keep this approach and but move this to HTMLInputElement::createInnerTextStyle? Then the mutated -webkit-test-security only affects the shadow tree. > > This implementation was intentional (and reflected in the test `computed-text-security-for-input-security.html` I added). I mentioned the reasoning in the ChangeLog, but will explain again here. > > I know of at least one script which uses the computed value of `-webkit-text-security` to determine whether or not an input has obscured text. Without making the change here, a password field with `input-security: auto` (which obscures the text) could have `-webkit-text-security: none` in its computed style. This would lead to the script incorrectly assuming that the text is unobscured. Consequently, for compatibility, my patch ensures that the observed value of `-webkit-text-security` matches the `input-security`. Ok, sounds reasonable
Aditya Keerthi
Comment 9 2021-09-20 08:57:53 PDT
Comment on attachment 438401 [details] Patch Thanks for the review!
EWS
Comment 10 2021-09-20 09:19:11 PDT
Committed r282750 (241887@main): <https://commits.webkit.org/241887@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 438401 [details].
Note You need to log in before you can comment on or make changes to this bug.