| Comments: |
Thanks -- this is very cool indeed! I'm employed in a Mac environment now, so I'll pass this around at work.
Thanks again.
I love the smell of binary patches in the morning.
I do, too, and the idea behind this one is solid. I would make this change though: ...
perl -pe 's/(\000autocomplet)e(\000)/\1_\2/gsi' < WebCore.orig > WebCore
in order to avoid confusing anything which might assume sortedness. Lots of things are assumed to be sorted, and since tags aren't abbreviatable, that is just as good.
As it so happens, "autocomplete" appears exactly once in a big (unsorted) table of attributes. So it doesn't really matter either way.
it'd also be nice if reset everything really blew everything away, alas it does not, but do feel free to let me know how to fix that also :)
Huh. I used to do something similar to turn 'blink' into 'brink' in Netscape.
I use firefox on both my windows machines and my powerbook. so I wrote a greasemonkey script to reset any autocomplete tags to 'yes'.
Really, Shouldn't /I/ be the arbiter of my own security?
Normally yes, and thankfully they'r efairly easy to override, but there's some history here. Basically, it was some backroom blackmail. The big banks and such threatened to not support Moz/FF on purpose unless we all drank their Koolaid and gave them the autocomplete attribute. It soothed their lawyerbots enough, and it's still fairly easy to override. It's a case of waving the dead chicken.
![[User Picture]](http://p-userpic.livejournal.com/72987820/3427013) | From: ![[info]](http://p-stat.livejournal.com/img/userinfo.gif) ebel
Fri, 2-May-2008 4:12 PM (UTC)
| (Link)
|
it's still fairly easy to override. 'easy'? Sedding the binary is easy?
Hard to recall exactly what I was referring to from three years ago, but most users would just swap out the binary with a prehacked one. But it's trivially easy to end run by just scanning it in another app.
share? (for win+firefox) :P
Apparently I haven't gotten around to installing it on this machine yet. I'll grab it off another machine as soon as I get a chance, and reply here with a link.
![[User Picture]](http://p-userpic.livejournal.com/34905971/405936) | From: georgedorn
Tue, 22-Nov-2005 7:54 AM (UTC)
Greasemonkey goodness. | (Link)
|
Ask, and ye shall receive. Love greasemonkey. Absurdly simple hack, though.
![[User Picture]](http://p-userpic.livejournal.com/62911738/514465) | From: tithonium
Tue, 22-Nov-2005 6:26 PM (UTC)
Re: Greasemonkey goodness. | (Link)
|
That's even cleaner than the one I had. Guess I /won't/ post mine. ::)
![[User Picture]](http://p-userpic.livejournal.com/5887295/515656) | From: jwz
Tue, 22-Nov-2005 10:37 AM (UTC)
| (Link)
|
Deleted for horizonal-scrollbar horribleness.
Yeah, I stumbled across that JS too, but it no workee in Safari.
![[User Picture]](http://p-userpic.livejournal.com/39554298/562816) | From: malokai
Tue, 22-Nov-2005 8:02 PM (UTC)
actually, no you shouldn't | (Link)
|
Some companies/services are required by law to force you to enter your username and password every single time. Usually this is only delegated to medical however (to prevent an unlocked workstation from being a point of attack). Banks have an interest in this because stored passwords = retrievable passwords.
![[User Picture]](http://p-userpic.livejournal.com/32822981/405936) | From: georgedorn
Tue, 22-Nov-2005 10:05 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
Obviously, don't do this at a public workstation. Obviously, don't do this on any computer that you don't lock when you stand up, if anybody else can get at the computer.
autocomplete has nothing to do with store passwords, though.
| From: malokai
Thu, 24-Nov-2005 10:21 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
meh, I misunderstood the point of the tag.
| From: jwz
Thu, 24-Nov-2005 10:19 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
You're a moron.
| From: malokai
Thu, 24-Nov-2005 10:20 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
No, I'm a person that's had to write software to defeat any attempt to auto-store passwords.
| From: jwz
Thu, 24-Nov-2005 10:24 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
I don't care what you "had" to do, and I don't care what your employers' believe to be their legal obligation to prevent me from using my computer as I see fit. If you think that your employers' halfassed attempts to prevent me from storing my passwords has anything to do with security...
you're a moron.
| From: malokai
Thu, 24-Nov-2005 10:30 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
*sniffle* mommy, someone on the internet called me stupid ;_;
It's not hard. Create two random strings of text and insert them into the user's session, define one to be the username, one to be the password. Insert into form, retrieve values next request. Put autocomplete=in your scripts all you want, it's not gonna matter when the form variable names change everytime the page is loaded.
*shrugs*.
Individuals as yourself may be intelligent enough to make their own decisions; people in general are pretty stupid though and should just not be allowed to do certain things.
I'd go look up the parts that defined it, but you're slinging beer, not storing x-rays, and you've already made your decisions.
From: johnlu_78759
Thu, 22-Dec-2005 9:45 PM (UTC)
Re: actually, no you shouldn't | (Link)
|
malokai, any chance you're still getting notifications on this thread? I'm in agreement with you, and if you're at all willing to discuss your methods a little bit, I would appreciate it if you pinged my e-mail.
I work on a site that coordinates large-scale clinical research studies, and my goal is to do whatever I can--within reason--to protect the patients' privacy, regardless how the site's users have their browsers configured. I tried the dynamic-form-variable-names approach you outlined, but met with only limited success.
Thanks,
John
Now is the season of giving.. ;)
Evidence piece number one for a DMCA lawsuit? Har har.
Huh. I didn't know that was a valid attribute of the form tag. I guess I should actually look at the source from time to time to keep my HTML knowledge fresh.
It's an IE specific thing that Moz was badgered into supporting by the banks. See above.
From: pawliger
Tue, 22-Nov-2005 6:28 AM (UTC)
Yeah, but if you want to do it the hard way... | (Link)
|
Never let it be sed that's not elegant and easy, but the whole source for the WebKit frameworks are also available for hackery using the instructions at http://webkit.opendarwin.org/building/checkout.html along with scripts for launching Safari using the newly built frameworks without requiring them to be installed so would keep the system clean. If you go the hackery route find the two implementations of elementDoesAutoComplete in WebCoreBridge.mm and WebHTMLRepresentation.m, make them always return NO, build, and use WebKitSources/WebKitTools/Scripts/run-sa fari to run with the newly built frameworks.
![[User Picture]](http://p-userpic.livejournal.com/20212195/3256134) | From: zetawoof
Tue, 22-Nov-2005 8:14 AM (UTC)
Re: Yeah, but if you want to do it the hard way... | (Link)
|
For extra credit, implement an InputManager (or SIMBL plugin) to override those methods without patching or recompiling WebCore.
From: pawliger
Tue, 22-Nov-2005 4:02 PM (UTC)
Re: Yeah, but if you want to do it the hard way... | (Link)
|
Of course, what I said was "make then always return YES" but the evil little monkeys in my head made me type the wrong thing... again.
Of course, if this gets too popular, websites will start writing _utocomplete="no" in their login forms. Thankfully I can't see perl binary patches becoming too popular.
Incidentally, on my system "sudo -s" starts your shell, which can be convenient. I don't know if it does the same in OS X but I'd be surprised to learn it didn't. Other neat sudo command line options: "EDITOR=gnuclient sudo -e /etc/passwd" has to be the most convenient way to edit system files in Emacs.
From: helixblue
Tue, 22-Nov-2005 12:06 PM (UTC)
| (Link)
|
Wouldn't "sudo gnuclient /etc/passwd" work here?
sudoedit/sudo -e is neat, in any case. :)
Does this break Google Suggest, which uses autocomplete="no" to avoid a conflict between autocomplete and its own functionality?
Yeah, sorta. At least, turning autocomplete on in FF results in the browser's autocomplete box appearing over the top of the google suggest autocomplete box.
The greasemonkey script can be made to exclude google suggest, though. The binary patch, not so much.
![[User Picture]](http://p-userpic.livejournal.com/996772/447266) | From: ydna
Mon, 5-Dec-2005 8:32 AM (UTC)
| (Link)
|
The latest security update (Security Update 2005-009 v1.0) replaces WebCore. Additionally, the fix above won't work on this version of WebCore. Turns out there's another set of strings that includes AUTOCOMPLETE which gets caught by the patch (and breaks--er keeps autocomplete working). The fix is to make it case sensitive. sudo perl -pi -e 's/(\000)a(utocomplete\000)/\1_\2/gs' .../WebCore | |
