253390 – WebKit AX APIs expose secure text that is visibly hidden through HTMLInputElement::isAutoFilledAndObscured

RESOLVED FIXED 253390

WebKit AX APIs expose secure text that is visibly hidden through HTMLInputElement::isAutoFilledAndObscured

https://bugs.webkit.org/show_bug.cgi?id=253390

Summary WebKit AX APIs expose secure text that is visibly hidden through HTMLInputEle...

Tyler Wilcock

Reported 2023-03-04 11:53:13 PST

AX APIs should not expose text hidden via HTMLInputElement::isAutoFilledAndObscured.

Attachments
Patch (34.28 KB, patch) 2023-03-04 12:05 PST, Tyler Wilcock	no flags	Details Formatted Diff Diff
Patch (34.56 KB, patch) 2023-03-04 12:07 PST, Tyler Wilcock	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (34.60 KB, patch) 2023-03-04 12:14 PST, Tyler Wilcock	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (36.97 KB, patch) 2023-03-04 12:46 PST, Tyler Wilcock	no flags	Details Formatted Diff Diff
Patch (36.94 KB, patch) 2023-03-06 10:56 PST, Tyler Wilcock	no flags	Details Formatted Diff Diff
Patch (36.98 KB, patch) 2023-03-06 10:58 PST, Tyler Wilcock	no flags	Details Formatted Diff Diff
Show Obsolete (5) View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2023-03-04 11:53:21 PST

<rdar://problem/106237490>

Tyler Wilcock

Comment 2 2023-03-04 11:53:25 PST

rdar://92358745

Tyler Wilcock

Comment 3 2023-03-04 12:05:53 PST

Created attachment 465294 [details] Patch

Tyler Wilcock

Comment 4 2023-03-04 12:07:23 PST

Created attachment 465295 [details] Patch

Tyler Wilcock

Comment 5 2023-03-04 12:14:27 PST

Created attachment 465296 [details] Patch

Tyler Wilcock

Comment 6 2023-03-04 12:46:58 PST

Created attachment 465297 [details] Patch

Andres Gonzalez

Comment 7 2023-03-06 08:11:35 PST

(In reply to Tyler Wilcock from comment #6) > Created attachment 465297 [details] > Patch * LayoutTests/accessibility/password-field-value-expected.txt: Removed. * LayoutTests/accessibility/password-field-value.html: Removed. * LayoutTests/accessibility/secure-field-value-expected.txt: Added. * LayoutTests/accessibility/secure-field-value.html: Added. Can this be a `git mv` instead? --- a/Source/WebCore/accessibility/AccessibilityNodeObject.cpp +++ b/Source/WebCore/accessibility/AccessibilityNodeObject.cpp -bool AccessibilityNodeObject::isPasswordField() const +bool AccessibilityNodeObject::isSecureField() const ... - return downcast<HTMLInputElement>(*node).isPasswordField(); + return input->isPasswordField() || input->isAutoFilledAndObscured(); Why not use the method you defined in HTMLInputElement: + bool isSecureField() const { return isPasswordField() || isAutoFilledAndObscured(); }

Tyler Wilcock

Comment 8 2023-03-06 10:56:14 PST

Created attachment 465318 [details] Patch

Tyler Wilcock

Comment 9 2023-03-06 10:58:11 PST

Created attachment 465319 [details] Patch

EWS

Comment 10 2023-03-06 23:36:22 PST

Committed 261312@main (509d2d337d1c): <https://commits.webkit.org/261312@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 465319 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component Accessibility

Assignee

Tyler Wilcock

Reported

2023-03-04 11:53 PST

Modified

2023-03-06 23:36 PST History

CC List

15 users Show

URL

Keywords InRadar

Depends on

Blocks