Postal
Browser widget automatically submitting the "delete Organisation" confirmation dialog. #2767
Replies: 2 comments 5 replies
-
|
I am not a developer of this project, but I would like to say something about it. Why should this be a problem for Postal? I rather see the problem here that an extension in a browser automatically fills in and sends a password. In theory, this can happen with any website. My password manager fills in a recognised password field, but does not send it automatically. I still do this when I am sure that I really want to type in my password. In theory, what happens if the extension mistakenly recognises a comment field as a password field and puts my password in it and sends it, does my password then end up as a comment somewhere on the Internet? I think this is more likely to be an incorrect configuration of the user's extension and not of Postal itself. |
Beta Was this translation helpful? Give feedback.
-
|
Yes, absolutely. I still thought it to be remarkable enough to leave a note here. |
Beta Was this translation helpful? Give feedback.
-
|
Ah ok, I understood your post to mean that you wanted Postal to make a change 😅 |
Beta Was this translation helpful? Give feedback.
-
|
I expect it would not be too much effort to add postal/app/views/servers/delete.html.haml Line 18 in 0f9882f Although I am not sure how many browsers or extensions actually follow the autocomplete parameter |
Beta Was this translation helpful? Give feedback.
-
|
If we can help with testing somehow, we'd gladly do it. Unfortunately I'm not familiar with ruby and can't quickly figure out right now how to rebuild the template after editing |
Beta Was this translation helpful? Give feedback.
-
|
Without looking into it, I'm not sure if the templates are compiled on demand or if you would need to build a docker image with that one change in |
Beta Was this translation helpful? Give feedback.
-
|
I'll try to look into it in a good moment, couldn't reproduce it on my own machine right now. |
Beta Was this translation helpful? Give feedback.
-
Hello, we recently had the situation (twice) when an administrator accidentially clicked on the "Delete Server" button in the Postal admin GUI. The following confirmation dialog was identified by one of the user's browser widgets to contain a password, and that widget was configured to automatically fill the password and submit the form.
We were able to restore the deleted mail servers from a DB backup. But maybe the confirmation dialog could be slightly modified so that there isn't a chance for the "delete server" confirmation dialog to be auto-submitted.
Beta Was this translation helpful? Give feedback.
All reactions