Perhaps better stated as "Some applications can cache a password field
within a document", or "Firefox is [sometimes] not saving a password on
[some unidentified] web page in its autocomplete cache."
If passwords are not saved in the autocomplete cache in FF for all web
pages then it's possible John configured FF to not remember passwords
for sites. Also, no app can always identify what field (object) in a
form is actually used for the password. There are hints based on object
name or type but nothing prevents the web page author from using a
non-identifed object to store the password value. John doesn't say if
the problem is everywhere or a few places or just one place.
Or perhaps John meant to ask something like "Some applications can ask
for a password when they load". This usually applies not for loading
the application but when that application attempts to access a local
database, message store, or something that it accesses. FF has its own
master password option under the Security tab. Help says:
Firefox can protect sensitive information such as saved passwords and
certificates by encrypting them using a master password. If you create
a master password, each time you start Firefox, it will ask you to
enter the password the first time it needs to access a certificate or
stored password.
I've been using FF since day one, and since I told it to save
passwords, I've never been asked again, and on most pages it does it
automatically. On one page I use regularly, this facility is disabled
by a script on the page.
For "<input type="password" />" used within a form, there is the
autocomplete=off parameter which tells the web browser NOT to cache the
value of this object. "Autocomplete" is the cache in the web browser.
In JQuery, use "$("input#Password").attr("autocomplete","off");" or
"$("input[type='password']").attr("autocomplete","off");". In
Javascript, use "document.getElementById('Password').autocomplete =
'off';". They're all using the autocomplete parameter (set to "off") on
an input object.
https://developer.mozilla.org/en-US/docs/How_to_Turn_Off_Form_Autocompletion
http://www.w3schools.com/html5/att_form_autocomplete.asp
If you visit an HTTPS page but an object is delivered via HTTP header or
META tag then caching is disabled. That's how IE works so I suspect FF
does the same. I suspect any dynamic web page using Javascript from a
non-secured source when visiting an HTTPS page would do the same (no
caching). Mixed content is better enforced (with selections for Prompt,
Allow, Block) in IE than in FF (a 7-year old reported problem). I
believe Mozilla (hence Google for Chrome) are now looking at blocking
mixed *script* content for an HTTPS page but that is incomplete. Non-
encrypted text or images coming from a HTTP source could also contain
sensitive info, like credit card or bank account info, and that could be
sniffed out of the HTTP traffic despite you visiting an HTTPS page. At
best, you can have FF alert you about mixed content but that content has
*already* been delivered in the clear (i.e., the alert is worthless on
inbound traffic and only provides some notice that anything you send out
might not be encrypted). Pity when FF can't manage the same security as
old IE where the mixed content option showed up in IE7 back in 2006 and
I've always had it set to Blocked although the default is to Prompt.
