Pale Moon forum

Is this something we need to be worried about?

Web Trackers Exploit Flaw in Browser Login Managers to Steal Usernames
https://www.bleepingcomputer.com/news/s ... usernames/

It's not a flaw in the login managers. It's actually a design decision (deliberate convenience feature) that is being abused.
This approach is only possible when a third party has script access to the first-party domain, since crossorigin access needs to be set explicitly -- this means that it will only work when the site owners explicitly allow this script access, so actually stealing credentials through scripts that are not known to the website owners won't be possible. In the case of XSS, we have CSP to mitigate that.

I am however ahead of this already, because I do recognize the risk of this feature being enabled by default. See Issue #1559. I'll change the default, but will provide an easy way for users to re-enable it if they prefer the convenience of it and find having to click the user name field to be too cumbersome for their workflow.