Skip to content

[iOS 26] Using AutoFill in a password field echoes the last character #47244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 26, 2025
Merged

[iOS 26] Using AutoFill in a password field echoes the last character #47244

merged 1 commit into from
Jun 26, 2025
+86 −20

Conversation

whsieh
Copy link
Member

@whsieh whsieh commented Jun 26, 2025
edited by webkit-early-warning-system
Loading

84f5cba

[iOS 26] Using AutoFill in a password field echoes the last character
https://bugs.webkit.org/show_bug.cgi?id=295032
rdar://148549180

Reviewed by Abrar Rahman Protyasha and Ryosuke Niwa.

Safari AutoFill in macOS Tahoe / iOS 26 now creates and dispatches `TextEvent`s to simulate user
input. While this more closely simulates some typing behaviors (and improves compatibility on some
websites), it also has the byproduct of triggering password echo on iOS (flashing the last typed
character in a password field).

Fix this by not echoing the last character in a password field, when the triggering text event is
untrusted. See below for more details.

* LayoutTests/editing/input/untrusted-textevent-does-not-echo-password-expected.html: Added.
* LayoutTests/editing/input/untrusted-textevent-does-not-echo-password.html: Added.

Add a layout test to exercise the change by verifying that the password does not echo when creating
and dispatching TextEvents in a password field. This test simply ref's against a password field with
a `value` attribute set to the same string.

* Source/WebCore/editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::inputText):
(WebCore::CompositeEditCommand::insertTextIntoNode):
(WebCore::CompositeEditCommand::replaceTextInNode):

Add more plumbing for the `AllowPasswordEcho` flag.

* Source/WebCore/editing/CompositeEditCommand.h:
* Source/WebCore/editing/EditCommand.h:

Add a new enum type, representing whether or not we should allow password echo when inserting text.
This enum is plumbed from `TypingCommand` -> `InsertTextCommand` -> `InsertIntoTextNodeCommand` when
typing, and finally checked in `InsertIntoTextNodeCommand::shouldEnablePasswordEcho`.

* Source/WebCore/editing/InsertIntoTextNodeCommand.cpp:
(WebCore::InsertIntoTextNodeCommand::InsertIntoTextNodeCommand):
(WebCore::InsertIntoTextNodeCommand::shouldEnablePasswordEcho const):

Pull this logic out into a private helper method, for better readability.

(WebCore::InsertIntoTextNodeCommand::doApply):
* Source/WebCore/editing/InsertIntoTextNodeCommand.h:

Store the `AllowPasswordEcho` flag as a member.

(WebCore::InsertIntoTextNodeCommand::create):
* Source/WebCore/editing/InsertTextCommand.cpp:
(WebCore::InsertTextCommand::InsertTextCommand):
(WebCore::InsertTextCommand::doApply):

Plumb the `AllowPasswordEcho` state into `InsertIntoTextNodeCommand`.

* Source/WebCore/editing/InsertTextCommand.h:

Store the `AllowPasswordEcho` flag as a member.

(WebCore::InsertTextCommand::create):
* Source/WebCore/editing/TypingCommand.cpp:
(WebCore::TypingCommand::insertTextRunWithoutNewlines):

Plumb the value of `AllowPasswordEcho` into `InsertTextCommand` when typing; this value is derived
from `triggeringEventIsUntrusted()`, which is in turn derived from whether or not the dispatched
text event is trusted.

Canonical link: https://commits.webkit.org/296673@main

a2f5192

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@whsieh whsieh requested a review from rniwa as a code owner June 26, 2025 16:14
@whsieh whsieh self-assigned this Jun 26, 2025
@whsieh whsieh added the New Bugs Unclassified bugs are placed in this component until the correct component can be determined. label Jun 26, 2025
@webkit-early-warning-system
Copy link
Collaborator

webkit-early-warning-system commented Jun 26, 2025
edited
Loading

EWS run on current version of this PR (hash a2f5192)

Misc iOS, visionOS, tvOS & watchOS macOS Linux Windows
✅ 🧪 style ✅ 🛠 ios ✅ 🛠 mac ✅ 🛠 wpe ✅ 🛠 win
✅ 🧪 bindings ✅ 🛠 ios-sim ✅ 🛠 mac-AS-debug ✅ 🧪 wpe-wk2 ⏳ 🧪 win-tests
✅ 🧪 webkitperl ✅ 🧪 ios-wk2 ✅ 🧪 api-mac ✅ 🧪 api-wpe
✅ 🧪 ios-wk2-wpt ✅ 🧪 mac-wk1 ✅ 🛠 wpe-cairo
✅ 🧪 api-ios ✅ 🧪 mac-wk2 ✅ 🛠 gtk
✅ 🛠 vision ✅ 🧪 mac-AS-debug-wk2 ✅ 🧪 gtk-wk2
✅ 🛠 vision-sim ✅ 🧪 mac-wk2-stress ✅ 🧪 api-gtk
✅ 🛠 🧪 merge ✅ 🧪 vision-wk2 ✅ 🧪 mac-intel-wk2 ✅ 🛠 playstation
✅ 🛠 tv ✅ 🛠 mac-safer-cpp
✅ 🛠 tv-sim
✅ 🛠 watch
✅ 🛠 watch-sim

@whsieh whsieh added the merge-queue Applied to send a pull request to merge-queue label Jun 26, 2025
@whsieh
Copy link
Member Author

whsieh commented Jun 26, 2025

Thanks for the reviews!

@whsieh
[iOS 26] Using AutoFill in a password field echoes the last character
84f5cba 
https://bugs.webkit.org/show_bug.cgi?id=295032
rdar://148549180

Reviewed by Abrar Rahman Protyasha and Ryosuke Niwa.

Safari AutoFill in macOS Tahoe / iOS 26 now creates and dispatches `TextEvent`s to simulate user
input. While this more closely simulates some typing behaviors (and improves compatibility on some
websites), it also has the byproduct of triggering password echo on iOS (flashing the last typed
character in a password field).

Fix this by not echoing the last character in a password field, when the triggering text event is
untrusted. See below for more details.

* LayoutTests/editing/input/untrusted-textevent-does-not-echo-password-expected.html: Added.
* LayoutTests/editing/input/untrusted-textevent-does-not-echo-password.html: Added.

Add a layout test to exercise the change by verifying that the password does not echo when creating
and dispatching TextEvents in a password field. This test simply ref's against a password field with
a `value` attribute set to the same string.

* Source/WebCore/editing/CompositeEditCommand.cpp:
(WebCore::CompositeEditCommand::inputText):
(WebCore::CompositeEditCommand::insertTextIntoNode):
(WebCore::CompositeEditCommand::replaceTextInNode):

Add more plumbing for the `AllowPasswordEcho` flag.

* Source/WebCore/editing/CompositeEditCommand.h:
* Source/WebCore/editing/EditCommand.h:

Add a new enum type, representing whether or not we should allow password echo when inserting text.
This enum is plumbed from `TypingCommand` -> `InsertTextCommand` -> `InsertIntoTextNodeCommand` when
typing, and finally checked in `InsertIntoTextNodeCommand::shouldEnablePasswordEcho`.

* Source/WebCore/editing/InsertIntoTextNodeCommand.cpp:
(WebCore::InsertIntoTextNodeCommand::InsertIntoTextNodeCommand):
(WebCore::InsertIntoTextNodeCommand::shouldEnablePasswordEcho const):

Pull this logic out into a private helper method, for better readability.

(WebCore::InsertIntoTextNodeCommand::doApply):
* Source/WebCore/editing/InsertIntoTextNodeCommand.h:

Store the `AllowPasswordEcho` flag as a member.

(WebCore::InsertIntoTextNodeCommand::create):
* Source/WebCore/editing/InsertTextCommand.cpp:
(WebCore::InsertTextCommand::InsertTextCommand):
(WebCore::InsertTextCommand::doApply):

Plumb the `AllowPasswordEcho` state into `InsertIntoTextNodeCommand`.

* Source/WebCore/editing/InsertTextCommand.h:

Store the `AllowPasswordEcho` flag as a member.

(WebCore::InsertTextCommand::create):
* Source/WebCore/editing/TypingCommand.cpp:
(WebCore::TypingCommand::insertTextRunWithoutNewlines):

Plumb the value of `AllowPasswordEcho` into `InsertTextCommand` when typing; this value is derived
from `triggeringEventIsUntrusted()`, which is in turn derived from whether or not the dispatched
text event is trusted.

Canonical link: https://commits.webkit.org/296673@main
@webkit-commit-queue
Copy link
Collaborator

Committed 296673@main (84f5cba): https://commits.webkit.org/296673@main

Reviewed commits have been landed. Closing PR #47244 and removing active labels.

@webkit-commit-queue webkit-commit-queue merged commit 84f5cba into WebKit:main Jun 26, 2025
@webkit-commit-queue webkit-commit-queue removed the merge-queue Applied to send a pull request to merge-queue label Jun 26, 2025
@whsieh whsieh deleted the eng/295032 branch June 26, 2025 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rniwa rniwa rniwa approved these changes

@aprotyas aprotyas aprotyas approved these changes

@hortont424 hortont424 Awaiting requested review from hortont424

@pxlcoder pxlcoder Awaiting requested review from pxlcoder

@rr-codes rr-codes Awaiting requested review from rr-codes

@megangardner megangardner Awaiting requested review from megangardner

Assignees

@whsieh whsieh

Labels
New Bugs Unclassified bugs are placed in this component until the correct component can be determined.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@whsieh @webkit-early-warning-system @webkit-commit-queue @rniwa @aprotyas