[css-ui] Spec input-security property

[hober]

An increasing number of sites have switched their login forms from using <input type=password> to <input type=text> for password input, in order to provide the ability to toggle display of the password text. This has the unfortunate side effect of preventing client-side password/account managers from correctly filling the form. We should spec the ability to toggle display of the contents of <input type=password> to help sites avoid breaking such account managers.

WebKit implements <input type=password> styling with a -webkit-text-security property, for which there are several polyfills out there for other browsers (e.g. noppa/text-security), so perhaps it's the right cowpath to pave here.

It's worth noting that it's sometimes desirable to obscure the text of other inputs—<input type=tel>, for instance.

[FremyCompany]

I just want to note that Edge allows the text of input type=password to be user-readable on user request, and that solves the use case for which websites convert their input type=password into type=text without introducing a new property.

I'd rather standardize this behavior than standardize the text-security property, to be quite honest. I'm always really surprised when I notice other browsers still don't have a button to show the value of a password textbox on user request.

[FremyCompany]

[FremyCompany]

The button is only available if you are typing the password. Autofilled values and javascript-filled passwords are not accessible through that button (but of course are via the DevTools)

[fantasai]

It seems to me that adding a new value to text-transform would make more sense than adding a new property.

[jonjohnjohnson]

What if text-transform accepted a string, which covers more bases than the styles -webkit-text-security offers? Though less specific to security, it could be useful for "spoiler" visuals?

text-transform: '\0020\00B7\0020';

[frivoal]

@jonjohnjohnson Not saying this is the right answer for this particular issue, but if we're talking about allowing authors to define arbitrary text-transforms, I have this proposal: https://specs.rivoal.net/css-custom-tt/

[hober]

@fantasai sure, adding a value to text-transform seems reasonable to me. While -webkit-text-security takes several values (offhand there's disc, square, and circle), I think we only need one, which means "please obscure the text in the manner of a native password field" or the like.