Hide password form fields by default #3991
Conversation
daniel-beck
added
work-in-progress
|
I want a CI build so I cannot keep this in draft 😭 |
Even adding a password field long after the page is loaded (e.g. getting rid of the |
|
Right now I have something that appears to not crash & burn while preventing autofill or offers to save or update credentials in most cases. Assuming of course, that Javascript is enabled. How do we ensure this doesn't introduce worse problems than the one this is attempting to fix? |
| ATTRIBUTES="${attrs}" EXCEPT="field clazz value" /> | ||
| <div class="hidden-password-placeholder"> | ||
| <div class="hidden-password-legend"> | ||
| <svg width="20px" height="25px" viewBox="0 0 25 32" version="1.1" xmlns="http://www.w3.org/2000/svg"> |
There was a problem hiding this comment.
Come to think of it, I think we don't need to inline this svg anymore. It was inlined in the standalone library because there was no good way to reference a static asset from a jar. This could be moved to a more appropriate location in jenkins to be a reusable static asset.
|
@daniel-beck to disable autocomplete in Chrome you can just add EDIT: it is also working in Firefox Beta, see https://bugzilla.mozilla.org/show_bug.cgi?id=1119063 |
|
@zbynek I saw that on MDN, tried it, and failed. Thanks for linking the Firefox bug. Once that works and is reasonably widely supported (is Firefox ESR still around?) we can always change how we prevent autofill, but would rather not hold this change to wait for that (assuming it works otherwise). |
|
@daniel-beck in the final screenshot (Changing one password) does selecting 'Build' beneath the form save the new password? |
|
@josephbrueggen No. It's just valid for the current build you're starting, behavior in general in unchanged from before. |
|
@daniel-beck understood, thanks. This looks good to me. |
There was a problem hiding this comment.
Tested with Chrome 74.0.3729.131, FireFox 66.0.3 (and 66.0.5), IE 11.706.17134.0, Edge 42.17134.1.0 under Windows 10.
Feature tested:
- writing directly,
- copy-pasting
- drag&dropping text
Every feature works as expected with all browsers.
My only concern was about the design, as in the multiline secret, the button is encapsulated in the border, with larger padding. But as Joe approved it, that's fine.
👍 for the proposal, but require to have tests to be approved :)
…at first Something like onfocus didn't work, you'd tab through form elements and unless you filled in the user name, changing the form field to password would cause it to autocomplete. It looks like, at least in Mac/Firefox, going from plain text to password in the 'oninput' event handler works. The plain text is revealed neither with typing nor pasting.
Co-Authored-By: daniel-beck <[email protected]>
daniel-beck
force-pushed
the
hidden-password-fields
branch
from
a90d18a to
9c694b4
Compare
daniel-beck
removed
the
work-in-progress
|
Anyone brave enough to write a |
|
No-JavaScript proposal in #4280. |
|
Given how broken the Jenkins UI is without JavaScript, we don't need to specifically take additional care of that. |
daniel-beck
added
the
on-hold
|
I do not want this to be merged in the same weekly as #4239. |
daniel-beck
removed
the
on-hold
|
Manually tested that form field validation continues to work, and it will show on the "concealed" field when the page is loaded. |
oleg-nenashev
added
the
rfe
oleg-nenashev
added
the
ready-for-merge
|
Ugh, I missed it during the reviews, because it was on the third page. Will go ahead and merge it |
|
@daniel-beck Just in case, did you have a chance to run ATH against it? The change is unlikely covered by smoke tests |
oleg-nenashev
added
the
upgrade-guide-needed
There was a problem hiding this comment.
This change is likely to cause regressions in ATH. CC @olivergondza . I still think it worth merging even if we get a number of extra regressions there. I plan to merge it on Friday if no negative feedback
|
Maybe it should be a major RFE |
oleg-nenashev
added
major-rfe
|
How long would this change be expected to take before making it into an LTS release? We've had a lot of issues with a user's browser auto-filling forms in the Jenkins System Configuration without their knowledge and it seems like this change would address that. |
|
It was first included in Jenkins 2.205. Jenkins 2.204 was selected as the basis for the next long term support release. Jenkins 2.204.1 will be released in January and will be the long term support base for 3 months. An LTS release including this capability will most likely be available in April 2020. |
|
ETA for the new LTS baseline is Mar 2020, but indeed it will take a while
before it lands in LTS
…On Tue, Nov 26, 2019, 21:50 Mark Waite ***@***.***> wrote:
It was first included in Jenkins 2.205. Jenkins 2.204 was selected as the
basis for the next long term support release. Jenkins 2.204.1 will be
released in January and will be the long term support base for 3 months.
An LTS release including this capability will most likely be available in
April 2020.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#3991?email_source=notifications&email_token=AAW4RIAYORYKPZHJANMKEMTQVWDYDA5CNFSM4HHBABZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFHMSTY#issuecomment-558811471>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAW4RICRPPZAG3HXNGTP3FDQVWDYDANCNFSM4HHBABZQ>
.
|
|
I see, thanks for the update. Am I correct that this fix will avoid issues
with auto-fill (Chrome, LastPass, etc.) populating data in Jenkins system
configuration? Is there another workaround other than having every Jenkins
admin disable auto-fill in their applications?
…On Tue, Nov 26, 2019 at 12:50 PM Mark Waite ***@***.***> wrote:
It was first included in Jenkins 2.205. Jenkins 2.204 was selected as the
basis for the next long term support release. Jenkins 2.204.1 will be
released in January and will be the long term support base for 3 months.
An LTS release including this capability will most likely be available in
April 2020.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3991?email_source=notifications&email_token=ABJ2FQ4EI6QVMRDEEEFUXGDQVWDYFA5CNFSM4HHBABZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEFHMSTY#issuecomment-558811471>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABJ2FQZD6LW6IMCH4GNAMMDQVWDYFANCNFSM4HHBABZQ>
.
|
|
@msmitty12 that matches with my reading of the pull request description. Because it has released with Jenkins 2.205, you could test drive it yourself and verify the behavior with: That will provide you a locally running copy of Jenkins 2.205 that can be accessed on port 8080. I'm not aware of any other workaround. |
The goal here is twofold:
Example: Proxy Configuration
When the field value is empty to begin with, show a text field to prevent auto-fill.
When the user enters a value, the field type is switched to password to mask it.
When a value is already filled in, show just a placeholder:
Clicking the button will revert to how it looks in the second screen shot (different from
f:multilineSecretwhich has some extra UI around the text area that appears).Example: Parameterized Build
All concealed by default
Changing one password
Proposed changelog entries
hudson.Functions.hidingPasswordFieldstofalse.Submitter checklist
* Use the
Internal:prefix if the change has no user-visible impact (API, test frameworks, etc.)