Bug 2186619

Summary:	Browser Allows Password Auto-completion
Product:	Red Hat OpenStack	Reporter:	camorris@redhat.co <camorris>
Component:	python-django-horizon	Assignee:	David Hill <dhill>
Status:	ASSIGNED ---	QA Contact:	Ashish Gupta <ashigupt>
Severity:	low	Docs Contact:
Priority:	low
Version:	16.2 (Train)	CC:	dhill, jjasek, rdopiera, tovchinn
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	python-django-horizon-16.2.3-2.20230510005035.f9e08ed.el8ost	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description camorris@redhat.co 2023-04-13 20:31:31 UTC

Description of problem:
Customer wants to know how to disable password auto-completion in Horizon. 

Is it possible to do it manually by modifying the Horizon container image as a workaround ?

I didn't see anyway in the hardening guide.

Version-Release number of selected component (if applicable):
16.2

How reproducible:
Everytime

Steps to Reproduce:
1.
2.
3.

Actual results:
Can't do it

Expected results:
Be able to do it

Additional info:

Comment 1 David Hill 2023-04-13 20:42:15 UTC

    {% block login_body %}
      {% comment %}
        These fake fields are required to prevent Chrome v34+ from autofilling form.
      {% endcomment %}
      {% if HORIZON_CONFIG.password_autocomplete != "on" %}
        <div class="fake_credentials" style="display: none">
          <input type="text" name="fake_email" value="" />
          <input type="password" name="fake_password" value="" />
        </div>
      {%endif%}

Comment 2 David Hill 2023-04-13 20:43:01 UTC

[dhill@knox horizon]$ grep -r password_autocomplete *
conf/default.py:    'password_autocomplete': 'off',
templates/auth/_login_form.html:      {% if HORIZON_CONFIG.password_autocomplete != "on" %}
templates/auth/_password_form.html:      {% if HORIZON_CONFIG.password_autocomplete != "on" %}

Comment 3 David Hill 2023-04-13 20:49:35 UTC

What is the browser being used ?

Comment 4 David Hill 2023-04-13 20:52:07 UTC

Maybe https://review.opendev.org/c/openstack/horizon/+/880364 is enough ?

Comment 6 Radomir Dopieralski 2023-04-14 10:10:31 UTC

This setting should do it: https://docs.openstack.org/horizon/latest/configuration/settings.html#password-autocomplete

Comment 12 Jan Jasek 2023-08-02 23:37:19 UTC

Hello David.
I would like to verify the bugfix but from the description I am not sure what exactly I should test.
Could you please specify this bug (and how to reproduce it) more precisely?
Alternatively, add whether the issue is only in some specific browser.

Thank you.