9

I use Vivaldi. I have previously filled in forms where I used a certain name and e-mail.

Today I cleared the browser data except for the autofill stuff.

Then I went to Stack Exchange to register an account. It's pre-populated with an e-mail address and even password filled in because of the autofill feature. This makes me really antsy.

My question is: even though I have not submitted the form, is it possible that the server has "latched on to" this information using JavaScript after it was pre-populated into my form client-side?

Or does it happen in such a way that, while it's shown on my screen as if I typed it in, it was "blasted" onto the form bypassing any JavaScript which may be able to read it and then send it in an Ajax request to the server?

Javiair
  • 107
  • 2
  • 2
    I'm pretty sure it is accessible from JavaScript. Otherwise all client-side validation would break. And the handler can be placed, say, in the `onload` handler. I haven't tested it, though. – nevermind May 03 '22 at 07:17
  • 2
    You might be interested in this thread: [autofill doesn't trigger onChange](https://stackoverflow.com/a/62199697/2791540) – John Wu May 03 '22 at 08:18

2 Answers2

5

Technically it is possible that there is a script that reacts on the content change events and sends data to the web site even if you have not submitted login data explicitly. It depends on the particular web site.

When password is filled via autofill, an "InputEvent" is sent. Means, "onInput" listeners will be notified. One of such listeners can send the data to some remote server.

Suppression of this event would mean deviation from the DOM specification. Actually, pop-up blocking is also formally a deviation, because browser refuses to execute some actions required by the specification. But all such deviations can be usually explicitly enabled/disabled. For autofill there is no such option. Nor there is a "shadow DOM" that would prevent the script from accessing the autofilled data.

TLDR:

You cannot prevent web pages from reading autofilled data and sending them to their websites.

mentallurg
  • 8,536
  • 4
  • 26
  • 41
  • 5
    This is speculating that Chrome doesn't inject the text via some non-javascript view layer, while the user is hoping that it does! – ti7 May 03 '22 at 04:25
  • 1
    @ti7 I tried it with an application I wrote for work. When I fill in the address I doesn't trigger the javascript parts that should be triggered when the fields are filled in. – J_rite May 03 '22 at 07:10
  • @ti7: I don't say that Chrome uses JavaScript. Tell us where you see that And tell us what exactly you call speculation Autofill works even if a web page does not contain any JavaScript. What I mean is that browser changes DOM by setting content to some element. And when DOM is changed, obviously events will be triggered. – mentallurg May 03 '22 at 10:01
  • 5
    @Jungkook Regardless of whether events like "onchange" are triggered, a site that actively wanted to could easily read the autofilled values in some other routine - e.g. a global "onclick" handler, or something polling with `setTimeout`. As Ángel says in their answer, the browser *could* try to make this difficult by masking the values in some way, but it probably doesn't. – IMSoP May 03 '22 at 10:37
  • @IMSoP: When password is filled via autofill, an *"InputEvent"* is sent. Means, *"onInput"* listeners will be notified. Suppression of this event would mean deviation from the DOM specification. Any such intended deviations are usually controlled via settings explicitly, like pop-up blocking. For autofill there is no option to suppress events. Nor there is a *"shadow DOM"* that wold prevent the script from accessing the autofilled data. – mentallurg May 03 '22 at 14:45
3

The easy way to code it would be that such content is available to the javascript website.

It is possible that the browser has protections to "make it look like it's not filled" (this is what is done with visited links, for instance). However, in this case I don't think it's likely they added them, since the entries are presumably only filled on webpages where you previously saved them, in which case they probably considered safe enough that the website knows the fields you provided to the very same website in the past and consented to store.

(Nonetheless, pre-filling the username in an unknown website, and even a password as you describe seems highly problematic)

The easiest way to check this would be to create a simple web page that gets autofilled, and tries to read such field. If it is able to, there's no protection. If it cannot be read directly, there may still be a way to obtain them with javascript, but there's at least a basic attempt to stop it.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • *where you previously saved them, in which case they probably considered safe enough*. Interesting, what if the website was compromised after sometime? – NotStanding with GoGotaHome May 03 '22 at 11:33
  • @SaveUkraine-StartPeaceTalk Then they could just wait for you to type in your username/password/address as usual – Radvylf Programs May 03 '22 at 14:07
  • @RadvylfPrograms Nope. We are talking about the autofiill feature. – NotStanding with GoGotaHome May 03 '22 at 15:14
  • @SaveUkraine-StartPeaceTalk Sure, but that's a ton of unnecessary work. What are the odds someone who was previously on the site would go to it, autofill their address, then navigate away without submitting? Sure, it happens, but not nearly often enough to be worth it. – Radvylf Programs May 03 '22 at 15:57
  • @Radvylf No one will go to a website and autofiill themselves. That is something a browser does - that is what the question is based on - not my fault! Whatever, I was questioning the browser's trust in a website that a user had previously visited (and logon?) - as this answer proposes – NotStanding with GoGotaHome May 05 '22 at 15:01
  • @SaveUkraine-StartPeaceTalk That's a good point. I was mostly just commenting that the scenario itself wasn't very likely, but it's a good question to ask. – Radvylf Programs May 05 '22 at 15:03
  • @RadvylfPrograms Perhaps, you could have commented on the question instead of pinging me. – NotStanding with GoGotaHome May 06 '22 at 09:49