Skip to content

(CVE-2023-26081) Don't autofill passwords in sandboxed contexts

If using the sandbox CSP or iframe tag, the web content is supposed to be not trusted by the main resource origin. Therefore, we'd better disable the password manager entirely so the untrusted web content cannot exfiltrate passwords.

https://github.com/google/security-research/security/advisories/GHSA-mhhf-w9xw-pp9x

Merge request reports