2186619 – Browser Allows Password Auto-completion

Bug 2186619 - Browser Allows Password Auto-completion

Summary: Browser Allows Password Auto-completion

Keywords:
Status:	ASSIGNED
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-django-horizon
Sub Component:
Version:	16.2 (Train)
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	David Hill
QA Contact:	Ashish Gupta
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-04-13 20:31 UTC by camorris@redhat.co
Modified:	2023-08-10 14:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:	python-django-horizon-16.2.3-2.20230510005035.f9e08ed.el8ost
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
OpenStack gerrit	880364	None	MERGED	Disable form auto-complete on login form	2023-05-05 18:59:42 UTC
OpenStack gerrit	882295	None	NEW	Disable form auto-complete on login form	2023-05-05 18:59:26 UTC
Red Hat Issue Tracker	OSP-24178	None	None	None	2023-04-13 20:32:10 UTC

Description camorris@redhat.co 2023-04-13 20:31:31 UTC

Description of problem:
Customer wants to know how to disable password auto-completion in Horizon. 

Is it possible to do it manually by modifying the Horizon container image as a workaround ?

I didn't see anyway in the hardening guide.

Version-Release number of selected component (if applicable):
16.2

How reproducible:
Everytime

Steps to Reproduce:
1.
2.
3.

Actual results:
Can't do it

Expected results:
Be able to do it

Additional info:

Comment 1 David Hill 2023-04-13 20:42:15 UTC

    {% block login_body %}
      {% comment %}
        These fake fields are required to prevent Chrome v34+ from autofilling form.
      {% endcomment %}
      {% if HORIZON_CONFIG.password_autocomplete != "on" %}
        <div class="fake_credentials" style="display: none">
          <input type="text" name="fake_email" value="" />
          <input type="password" name="fake_password" value="" />
        </div>
      {%endif%}

Comment 2 David Hill 2023-04-13 20:43:01 UTC

[dhill@knox horizon]$ grep -r password_autocomplete *
conf/default.py:    'password_autocomplete': 'off',
templates/auth/_login_form.html:      {% if HORIZON_CONFIG.password_autocomplete != "on" %}
templates/auth/_password_form.html:      {% if HORIZON_CONFIG.password_autocomplete != "on" %}

Comment 3 David Hill 2023-04-13 20:49:35 UTC

What is the browser being used ?

Comment 4 David Hill 2023-04-13 20:52:07 UTC

Maybe https://review.opendev.org/c/openstack/horizon/+/880364 is enough ?

Comment 6 Radomir Dopieralski 2023-04-14 10:10:31 UTC

This setting should do it: https://docs.openstack.org/horizon/latest/configuration/settings.html#password-autocomplete

Comment 12 Jan Jasek 2023-08-02 23:37:19 UTC

Hello David.
I would like to verify the bugfix but from the description I am not sure what exactly I should test.
Could you please specify this bug (and how to reproduce it) more precisely?
Alternatively, add whether the issue is only in some specific browser.

Thank you.

Note You need to log in before you can comment on or make changes to this bug.