Bug 253390 - WebKit AX APIs expose secure text that is visibly hidden through HTMLInputElement::isAutoFilledAndObscured
Summary: WebKit AX APIs expose secure text that is visibly hidden through HTMLInputEle...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: Accessibility (show other bugs)
Version: Other
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Tyler Wilcock
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-03-04 11:53 PST by Tyler Wilcock
Modified: 2023-03-06 23:36 PST (History)
15 users (show)

See Also:

Attachments
Patch (34.28 KB, patch)
2023-03-04 12:05 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Patch (34.56 KB, patch)
2023-03-04 12:07 PST, Tyler Wilcock 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (34.60 KB, patch)
2023-03-04 12:14 PST, Tyler Wilcock 		ews-feeder: commit-queue-
Details | Formatted Diff | Diff
Patch (36.97 KB, patch)
2023-03-04 12:46 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Patch (36.94 KB, patch)
2023-03-06 10:56 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Patch (36.98 KB, patch)
2023-03-06 10:58 PST, Tyler Wilcock 		no flags Details | Formatted Diff | Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tyler Wilcock 2023-03-04 11:53:13 PST 
AX APIs should not expose text hidden via HTMLInputElement::isAutoFilledAndObscured.
Comment 1 Radar WebKit Bug Importer 2023-03-04 11:53:21 PST 
<rdar://problem/106237490>
Comment 2 Tyler Wilcock 2023-03-04 11:53:25 PST 
rdar://92358745
Comment 3 Tyler Wilcock 2023-03-04 12:05:53 PST 
Created attachment 465294 [details]
Patch
Comment 4 Tyler Wilcock 2023-03-04 12:07:23 PST 
Created attachment 465295 [details]
Patch
Comment 5 Tyler Wilcock 2023-03-04 12:14:27 PST 
Created attachment 465296 [details]
Patch
Comment 6 Tyler Wilcock 2023-03-04 12:46:58 PST 
Created attachment 465297 [details]
Patch
Comment 7 Andres Gonzalez 2023-03-06 08:11:35 PST 
(In reply to Tyler Wilcock from comment #6)
> Created attachment 465297 [details]
> Patch

* LayoutTests/accessibility/password-field-value-expected.txt: Removed.
* LayoutTests/accessibility/password-field-value.html: Removed.
* LayoutTests/accessibility/secure-field-value-expected.txt: Added.
* LayoutTests/accessibility/secure-field-value.html: Added.

Can this be a `git mv` instead?

--- a/Source/WebCore/accessibility/AccessibilityNodeObject.cpp
+++ b/Source/WebCore/accessibility/AccessibilityNodeObject.cpp


-bool AccessibilityNodeObject::isPasswordField() const
+bool AccessibilityNodeObject::isSecureField() const
...
-    return downcast<HTMLInputElement>(*node).isPasswordField();
+    return input->isPasswordField() || input->isAutoFilledAndObscured();

Why not use the method you defined in HTMLInputElement:

+    bool isSecureField() const { return isPasswordField() || isAutoFilledAndObscured(); }
Comment 8 Tyler Wilcock 2023-03-06 10:56:14 PST 
Created attachment 465318 [details]
Patch
Comment 9 Tyler Wilcock 2023-03-06 10:58:11 PST 
Created attachment 465319 [details]
Patch
Comment 10 EWS 2023-03-06 23:36:22 PST 
Committed 261312@main (509d2d337d1c): <https://commits.webkit.org/261312@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 465319 [details].