Bug 236432

Summary: Autofill sets the `value` of an `<input>` with `name="token"` to the user's email address
Product: WebKit Reporter: Brody <brody>
Component: FormsAssignee: Nobody <webkit-unassigned>
Status: RESOLVED MOVED    
Severity: Normal CC: cdumez, webkit-bug-importer, wenson_hsieh
Priority: P2 Keywords: InRadar
Version: Safari 15   
Hardware: Unspecified   
OS: macOS 12   

Brody
Reported 2022-02-10 00:29:47 PST
While developing a website I noticed some unusual activity while testing it in Safari. Given a form such as: ``` <form> <input type="hidden" name="token" value="[SOME LONG RANDOM STRING HERE]" autocomplete="off"> <input type="password" name="password" autocomplete="new-password"> <input type="password" name="password_confirmation" autocomplete="new-password"> </form> ``` The browser is setting the token to the user's email address. The workaround involved using the `Referer` header when the `User-Agent` matches Safari but no other browser ran into this issue.
Attachments
Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2022-02-10 07:25:13 PST
Likely a Safari issue, not a WebKit one. Importing the bug into radar so that it can be sent to the right people.
Radar WebKit Bug Importer
Comment 2 2022-02-10 07:25:24 PST
<rdar://problem/88753523>
Note You need to log in before you can comment on or make changes to this bug.