Bug 253390

Summary: WebKit AX APIs expose secure text that is visibly hidden through HTMLInputElement::isAutoFilledAndObscured
Product: WebKit Reporter: Tyler Wilcock <tyler_w>
Component: AccessibilityAssignee: Tyler Wilcock <tyler_w>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, andresg_22, apinheiro, cdumez, cfleizach, changseok, dmazzoni, esprehn+autocc, ews-watchlist, gyuyoung.kim, jcraig, jdiggs, mifenton, samuel_white, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
ews-feeder: commit-queue-
Patch
ews-feeder: commit-queue-
Patch
none
Patch
none
Patch none

Tyler Wilcock
Reported 2023-03-04 11:53:13 PST
AX APIs should not expose text hidden via HTMLInputElement::isAutoFilledAndObscured.
Attachments
Patch (34.28 KB, patch)
2023-03-04 12:05 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (34.56 KB, patch)
2023-03-04 12:07 PST, Tyler Wilcock 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (34.60 KB, patch)
2023-03-04 12:14 PST, Tyler Wilcock 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (36.97 KB, patch)
2023-03-04 12:46 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (36.94 KB, patch)
2023-03-06 10:56 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Patch (36.98 KB, patch)
2023-03-06 10:58 PST, Tyler Wilcock 		no flags
DetailsFormatted DiffDiff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-03-04 11:53:21 PST
<rdar://problem/106237490>
Tyler Wilcock
Comment 2 2023-03-04 11:53:25 PST
rdar://92358745
Tyler Wilcock
Comment 3 2023-03-04 12:05:53 PST
Created attachment 465294 [details] Patch
Tyler Wilcock
Comment 4 2023-03-04 12:07:23 PST
Created attachment 465295 [details] Patch
Tyler Wilcock
Comment 5 2023-03-04 12:14:27 PST
Created attachment 465296 [details] Patch
Tyler Wilcock
Comment 6 2023-03-04 12:46:58 PST
Created attachment 465297 [details] Patch
Andres Gonzalez
Comment 7 2023-03-06 08:11:35 PST
(In reply to Tyler Wilcock from comment #6) > Created attachment 465297 [details] > Patch * LayoutTests/accessibility/password-field-value-expected.txt: Removed. * LayoutTests/accessibility/password-field-value.html: Removed. * LayoutTests/accessibility/secure-field-value-expected.txt: Added. * LayoutTests/accessibility/secure-field-value.html: Added. Can this be a `git mv` instead? --- a/Source/WebCore/accessibility/AccessibilityNodeObject.cpp +++ b/Source/WebCore/accessibility/AccessibilityNodeObject.cpp -bool AccessibilityNodeObject::isPasswordField() const +bool AccessibilityNodeObject::isSecureField() const ... - return downcast<HTMLInputElement>(*node).isPasswordField(); + return input->isPasswordField() || input->isAutoFilledAndObscured(); Why not use the method you defined in HTMLInputElement: + bool isSecureField() const { return isPasswordField() || isAutoFilledAndObscured(); }
Tyler Wilcock
Comment 8 2023-03-06 10:56:14 PST
Created attachment 465318 [details] Patch
Tyler Wilcock
Comment 9 2023-03-06 10:58:11 PST
Created attachment 465319 [details] Patch
EWS
Comment 10 2023-03-06 23:36:22 PST
Committed 261312@main (509d2d337d1c): <https://commits.webkit.org/261312@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 465319 [details].
Note You need to log in before you can comment on or make changes to this bug.