Allow for disabling of all autocomplete fields on password inputs on a Self-Managed Instance
Release notes
Self-Managed administrators can now optionally disable all password autocomplete fields on their instance through a configurable setting in the Admin Area. This can be useful in some situations where you must utilise a security scanning tool that only accepts an input field with autocomplete=off
. Please note this may impact the ability to use some Password Managers that use the value of autocomplete
to check for updates to password values.
Problem to solve
This is a continuation of this issue in which it was first discussed on whether GitLab could implement the ability to set autocomplete=off
for all user input fields on an instance. That issue was closed (different fields were set to different values), but there is still customer interest in seeing this implemented to completely disable it on all forms.
Proposal
For larger enterprise customers, they are sometimes required to use security scanning/vulnerability services which flag any type of autocomplete
value as a failure, especially those at a login screen or prompt where the input type is password
. These customers would like the ability to be able to configure a setting that will override current autocomplete
values to off
to meet the requirements. An example of a scanner result can be found here.
If we use this MR as an example of current input fields, most of these are derived from Devise:
URL Path | Input Field | Value of autocomplete
|
Pass? |
---|---|---|---|
users/sign_in | Password | current-password |
|
users/sign_up | Password | new-password |
We appear to use Vue to determine the default value of the password's autocomplete as shown here:
:autocomplete="autocomplete"
We may be able to create a computed function to determine if the value should be set, or even set the value directly in the HAML using an if render based on a configured setting value which is set to True
.