Nasty Problem with Safari Browser, WebEdit Password Char

Debroy_Julio1 · July 15, 2023, 6:39pm

I won't says it is a bug, but is a real problematic issue.
This happens only in Safari, and my customer uses only Mac.
I use Webedits to enter customer data, and some of the WebEdits hold private data like social security numbers, credit card numbers, Etc. These must remain hidden, unless the user hovers in the edit box and changes, and of course when initially entering the number.
When the customer file is opened, it is on read only mode, and when clicking on an Edit button (in the style of the delphi dbnavigator), all the edits are set as not read only, so the operator can edit the customer's information.
In the new Macs, using the safari browser, what happens in the moment these edits are set to editable (the ones that hide the information using a password char property different than chr(0)), is that Safari assume they are passwords, and using some stupid criteria, substitute the numbers in my database without asking, and notify the user that it has created Strong passwords instead. This in effect, substitures the customer data with their idiotic suggestion of strong password.
So far the only solution I found is to set the WebCore Form css library to cssNone instead of cssBootstrap. This stops the auto-substitution but limits other characteristics, and still keeps bugging the user asking to save those "passwords" every single time.

I tried setting the PasswordChar property to other than asterisk, like 'X' or other, but WebCore always replace my character with the standard black dot, and tells the browser that my webEdit is a PASSWORD input.
Before starting to develop some alternative, I wanted to report this because not all hidden characters are passwords and this problem is really annoying for the user, and has lead to data loss.

The problem happens the same if the app is compiled in delphi or VSC, but can only be seen when the app is served by a live server with a real public domain.

Attached is a stripped down test project and a screenshot.

EDIT: Yes, have tried the autocompletion properties of the edits, setting them to acOff or acNone but they are simply ignored by the browser.

JD.
Screenshot 2023-07-15 at 11.18.43 AM

editPasswordTest.zip (17.8 KB)

brunofierens · July 16, 2023, 9:57am

Whenever TWebEdit.PasswordChar is different from #0, it will set the HTML INPUT type to PASSWORD.
Apple comments on its strong password suggestion behavior here:
https://discussions.apple.com/thread/252704886
I don't think it is a good recommendation to turn iCloud Keychain feature off.
I'd suggest to use another technique, like a label with replaced text, for the state where the date should not be visible and not be editable.

Debroy_Julio1 · July 16, 2023, 1:56pm

I have never thought of disabling the keychain. On the contrary, I don't want my users to have the need to do anything to their computer for my program to work.
The Apple reasons behind this are completely Orwellian: "In the name of security you can do absurd things".
For sure I have to develop a solution using my already working customized WebCore basic components.

Or... hope one day you give me the basic sample or template I requested of how to customize (add some properties) to the basic FNC components so I can use them for this project, as I asked in another thread some time ago.

brunofierens · July 17, 2023, 7:33am

What other message?
I scanned your recent messages, but couldn't locate which one you are referring to.

Debroy_Julio1 · July 17, 2023, 2:08pm

Thanks Bruno, my request is on the last message on this thread:

https://support.tmssoftware.com/t/how-to-customize-fnc-components-in-delphi-for-web-and-desktop/21023

brunofierens · July 18, 2023, 7:38am

I followed up on this post.

Debroy_Julio1 · July 18, 2023, 2:25pm

Thanks, I appreciate it.