Bug 253390

Summary: WebKit AX APIs expose secure text that is visibly hidden through HTMLInputElement::isAutoFilledAndObscured
Product: WebKit Reporter: Tyler Wilcock <tyler_w>
Component: AccessibilityAssignee: Tyler Wilcock <tyler_w>
Status: RESOLVED FIXED    
Severity: Normal CC: aboxhall, andresg_22, apinheiro, cdumez, cfleizach, changseok, dmazzoni, esprehn+autocc, ews-watchlist, gyuyoung.kim, jcraig, jdiggs, mifenton, samuel_white, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
ews-feeder: commit-queue-
Patch
ews-feeder: commit-queue-
Patch
none
Patch
none
Patch none

Description Tyler Wilcock 2023-03-04 11:53:13 PST 
AX APIs should not expose text hidden via HTMLInputElement::isAutoFilledAndObscured.
Comment 1 Radar WebKit Bug Importer 2023-03-04 11:53:21 PST 
<rdar://problem/106237490>
Comment 2 Tyler Wilcock 2023-03-04 11:53:25 PST 
rdar://92358745
Comment 3 Tyler Wilcock 2023-03-04 12:05:53 PST 
Created attachment 465294 [details]
Patch
Comment 4 Tyler Wilcock 2023-03-04 12:07:23 PST 
Created attachment 465295 [details]
Patch
Comment 5 Tyler Wilcock 2023-03-04 12:14:27 PST 
Created attachment 465296 [details]
Patch
Comment 6 Tyler Wilcock 2023-03-04 12:46:58 PST 
Created attachment 465297 [details]
Patch
Comment 7 Andres Gonzalez 2023-03-06 08:11:35 PST 
(In reply to Tyler Wilcock from comment #6)
> Created attachment 465297 [details]
> Patch

* LayoutTests/accessibility/password-field-value-expected.txt: Removed.
* LayoutTests/accessibility/password-field-value.html: Removed.
* LayoutTests/accessibility/secure-field-value-expected.txt: Added.
* LayoutTests/accessibility/secure-field-value.html: Added.

Can this be a `git mv` instead?

--- a/Source/WebCore/accessibility/AccessibilityNodeObject.cpp
+++ b/Source/WebCore/accessibility/AccessibilityNodeObject.cpp


-bool AccessibilityNodeObject::isPasswordField() const
+bool AccessibilityNodeObject::isSecureField() const
...
-    return downcast<HTMLInputElement>(*node).isPasswordField();
+    return input->isPasswordField() || input->isAutoFilledAndObscured();

Why not use the method you defined in HTMLInputElement:

+    bool isSecureField() const { return isPasswordField() || isAutoFilledAndObscured(); }
Comment 8 Tyler Wilcock 2023-03-06 10:56:14 PST 
Created attachment 465318 [details]
Patch
Comment 9 Tyler Wilcock 2023-03-06 10:58:11 PST 
Created attachment 465319 [details]
Patch
Comment 10 EWS 2023-03-06 23:36:22 PST 
Committed 261312@main (509d2d337d1c): <https://commits.webkit.org/261312@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 465319 [details].