[Zope] IE5 form entry horror.

Anthony Baxter Anthony Baxter <anthony@interlink.com.au>
Thu, 13 May 1999 11:01:13 +1000


>>> Wolf Logan wrote
> i think i have to agree...this is a client security problem, and not one
> that can be easily "fixed" from the server side. there are a million
> (approximately!) security holes in most web browsers...and most of them
> aren't as obvious to the user as this one. if you try to solve client-side
> security issues from the server side, you're setting yourself up for a
> *huge* chunk of work, most of which will be thankless (and unprofitable).

In this case, it can be made to be less of a problem by making the field
names that you care about have a random bit on the end, which the converters
remove automatically.

It's also _necessary_ to fix this for the client. The issue in question
is collecting credit card numbers. If the end user gets their card ripped
off, it's us, as the merchant, who bears the cost of the reversals when the
customer rings up and complains.

Expecting this to be fixed at the client side is infeasible - a large 
amount of traffic we expect to see from internet cafes and the like. By
and large, these places are not staffed with very clueful computer 
support people.

> on the other hand, the autocomplete function only works on fields that are
> "visible" to the user...it doesn't work on "password" style fields. that
> might be of some help.

credit card numbers are 15-16 digits long - a little unrealistic to expect
them to be typed in blind.

>>> Alexander Staubo wrote
> It's a client security problem, not something that hits the server in
> any particular way. If the desktop user configured his computer so that
> anyone can reclaim his password from the autocomplete list, that's his
> problem. You could "fix" Zope, but it wouldn't fix the thousands of
> other web sites which also do credit card.

Yes, but the other web sites are not my problem. If they are defrauded, it's
not my company that gets the customer complaint, and the cost of the reversal.

> Afaik, autocompletion on forms is disabled by default.

Nope, it's on by default. there's a tag of "autocomplete" for input type=text,
but it doesn't seem to let you turn it off.

The _real_ fix is for MS to not bloody cache data entered into forms which
are secure (https). Chance of getting that fixed? 
(No, I haven't bothered trying to ring MS to complain - I object to having to
pay money to log a bug report.)

Anthony