Seeing the articles about the iframe Autofill vulnerability got me thinking about any way to avoid having passwords sent where I don’t expect them to. If there were a way to autofill (ideally via hotkey, as that is my preferred workflow) ONLY the currently-selected textbox, that would avoid this, I believe. Perhaps this could be implemented alongside the below-linked feature request (such as by adding a checkbox configured for each site so it can be enabled on sites that disabling autofilling iframes breaks the Autofill). This could also be done in the mobile apps, as well.
hi folks, as noted in another community reply there are additions to iframe autofilling to address all concerns in the release next week. as has been noted, cases of a malicious iframe on a trusted login page are extremely rare