Skip to content

Secure phx.gen.auth forms against PII leakage #6575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rhcarvalho wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Secure phx.gen.auth forms against PII leakage #6575

rhcarvalho wants to merge 2 commits into from
+22 −1

Conversation

@rhcarvalho
Copy link
Contributor

@rhcarvalho rhcarvalho commented Jan 6, 2026
edited
Loading

References:

Some sites implementing spellcheck="false":

Some that don't:

@rhcarvalho
Disable spell-checking for password fields
dd33a18 
While not strictly necessary for the out-of-the-box functionality
provided by phx.gen.auth, disabling spell-checking on password input
fields can help mitigate PII leakage through browser spellcheck
features, e.g. when a developer implements a "show password" feature
unaware of such risks.

References:

- Article on "Spell-jacking" from 2022: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
- The AWS Console login page sets `spellcheck="false"` on all input fields: https://aws.amazon.com/console/
@rhcarvalho
Disable spell-checking for username/email fields
5f86cdc 
Disabling spell-checking on input fields can help mitigate PII leakage
through browser spellcheck features, in particular when users enable
"advanced spellchecking" or use third-party browser extensions.

References:

- Article on "Spell-jacking" from 2022: https://www.bleepingcomputer.com/news/security/google-microsoft-can-get-your-passwords-via-web-browsers-spellcheck/
- The AWS Console login page sets `spellcheck="false"` on all input fields: https://aws.amazon.com/console/
@rhcarvalho
Copy link
Contributor Author

rhcarvalho commented Jan 6, 2026

I split the PR into two commits in case we want to leave out the password inputs, though I don't see much reason to do it. The sites that bother setting spellcheck="false" seem to set it for all form fields.

@MzudemO
Copy link

MzudemO commented Jan 8, 2026

To add some newer context: In Chromium-based browsers this issue has been fixed for password fields since 2022 https://issues.chromium.org/issues/40238870

The Microsoft Editor add-on has been disabled as of October 2025. It's now built-in to the Edge browser, but likely has the same behaviour as the extension did previously.

Irrespective of that any spellchecking tool can of course have this vulnerability, though they are also free to simply ignore spellcheck="false" if malicious.

@rhcarvalho
Copy link
Contributor Author

rhcarvalho commented Jan 8, 2026

Thanks for the comment @MzudemO!

Irrespective of that any spellchecking tool can of course have this vulnerability, though they are also free to simply ignore spellcheck="false" if malicious.

👍 The intention/expectation here is not to solve for malicious extensions or other things like AI systems reading your screen.

It is, however, intended to assist devs/users unaware of accidentally leaking information to third-parties (for the same reasons we still see to this day high profile sites applying the technique).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rhcarvalho @MzudemO