Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SDK-1191] Lock social buttons now render as links instead of buttons #1760

Merged
merged 2 commits into from
Dec 4, 2019

Conversation

stevehobbsdev
Copy link
Contributor

Changes

Lock social buttons now render as links instead of buttons. This is to fix an issue with LastPass not attaching its buttons to the input boxes on load.

I believe this is a security issue with LastPass (see security considerations on this doc). It won't initialize the extension on the form fields until some user interaction has happened, because there are button tags within the form (the social buttons). If a site hosting Lock was vulnerable to XSS attacks, they could potentially post login information to a malicious location if LastPass did actually pre-fill those form fields on page load.

Changing these buttons to links (without affecting the styles, other than providing an affordance that was normally provided by the browser) solves the issue.

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language

Checklist

@stevehobbsdev stevehobbsdev changed the title Lock social buttons now render as links instead of buttons [SDK-1191] Lock social buttons now render as links instead of buttons Nov 29, 2019
@stevehobbsdev stevehobbsdev marked this pull request as ready for review December 3, 2019 10:45
@stevehobbsdev stevehobbsdev requested a review from a team December 3, 2019 10:45
@stevehobbsdev stevehobbsdev added this to the vNext milestone Dec 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants