HI Everyone,
We have recently upgraded our Jira from 7.12 to 8.13 and one of the security vulnerability needs to be fixed. please share your knowledge to resolve the same
when we place cursor on username field it is automatically showing username below. which needs to be prevented.
Thank you in advance.
Hi @vivekrao_k ,
This looks like the browser is remembering previous values entered into the form, rather than something Jira is trying to autocomplete server-side. My suggestion would be to clear or disable the autofill feature in the browser. Here's an article describing how to do this for the most popular browsers on both Mac and Windows.
Cheers,
Daniel
HI @Daniel Eads
Thank you for the response, but for the previous versions of Jira(7.12) and confluence (6.12) , had seen this login population was disabled by editing of login.vm in confluence and login.jsp in Jira, if you have any idea regarding what value needs to be changed to solve this issue.. but in latest version Jira 8.13 and confluence 7.14 i am doing the same changes but it is not reflecting.
your suggestion would be appreciated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @vivekrao_k ,
Browsers have not supported this consistently for a while. According to the Mozilla developer docs:
Modern browsers implement integrated password management: when the user enters a username and password for a site, the browser offers to remember it for the user. When the user visits the site again, the browser autofills the login fields with the stored values.
Additionally, the browser enables the user to choose a master password that the browser will use to encrypt stored login details.
Even without a master password, in-browser password management is generally seen as a net gain for security. Since users do not have to remember passwords that the browser stores for them, they are able to choose stronger passwords than they would otherwise.
For this reason, many modern browsers do not support
autocomplete="off"
for login fields:
- If a site sets
autocomplete="off"
for a<form>
, and the form includes username and password input fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.- If a site sets
autocomplete="off"
for username and password<input>
fields, then the browser still offers to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits the page.This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.