Bug 83047 - Bad IE-style keyboard focus change after page load with possible security issues
Summary: Bad IE-style keyboard focus change after page load with possible security issues
Status: RESOLVED DUPLICATE of bug 96124
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: 3.2.1
Platform: openSUSE Linux
: NOR normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-06-08 13:53 UTC by mers
Modified: 2006-10-28 23:03 UTC (History)
0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description mers 2004-06-08 13:53:59 UTC 
Version:           3.2.1 (using KDE KDE 3.2.1)
Installed from:    SuSE RPMs
OS:                Linux

Konqueror 3.2.1 (as came with SuSE 9.1 Pro) has a bad behaviour with possible security problems, similar to Internet Explorer's behaviour:

If Konqueror is loading a page which contains more than one text input fields (with HTML forms) and the user starts typing in one of them (but not the first one) while the page isn't completely loaded, Konqueror will lose the keyboard focus and return it to the first text input field. This has possible security problems, especially with online web-email services where the user types a login name and a password: People near the computer screen may be able to see the password if the user typed it while Konqueror hadn't finished loading the page (the keyboard focus will reset to the login name input field and the user will type the password there!).

It is similar to Internet Explorer's behaviour. Mozilla doesn't have this problem.

To reproduce the bug, do the following:
1. Go to http://www.mailbox.gr/ preferably by using a slow Internet connection (i.e. dialup 56k or ISDN/DSL 64-128-256k)
2. There are two text input fields in the page: The first one is for login name and the second one for a password.
3. Make sure Konqueror hasn't finished loading the page.
4. (this step is optional) Type something in the first text field (username).
5. Move quickly to the second text field by pressing the TAB key two times or by using the mouse. Make sure Konqueror still loads the page.
6. Start typing something in the second text field (password). Continue typing until the condition 7 below is satisfied.
7. Konqueror will finish loading the page and the keyboard focus will be resetted to the first text field. Your whole password or part of it (depending on how quickly you can type) will be shown on the first text input screen as open-text (i.e. no *'s).
8. People near your monitor may be able to read your password. This possibility introduces security issues in Konqueror. A form-saver may also save your password as a username.

The same behaviour can be tested with any HTML page which contains at least two text input fields.

A web browser which does not present this issue is Mozilla 1.6 which is open source and tri-licensed under GPL/LGPL/MPL. If the relevant Mozilla code is available under the GPL license, you can copy it from there. Check http://www.mozilla.org/

Thanks for making KDE and Konqueror possible!
Comment 1 dobysirius 2006-08-30 17:23:59 UTC 
How is this a bug? The web page contains JavaScript that switches the focus to the username field when the page loads. It's the web page's problem that it does this, not Konqueror's. If Mozilla handles it differently (which it doesn't as far as I can tell), it's not following standards.
Comment 2 Maksim Orlovich 2006-10-28 23:03:48 UTC 

*** This bug has been marked as a duplicate of 96124 ***