selection of prefilled forms with stored data

[struppi]

I noticed a small difference between Palemoon (I guess on all Platforms, but I use Linux) and other Browsers. It's not a big thing, but maybe nobody of the developer noticed that.

I have some pages where I will be forwarding to a loginpage from my company before I could access. So the login page of my company is called where I had save my username and password in the Browsers.

In principle this works everywhere. The difference between Palemoon and Firefox/Chromium is: if there is only one stored user/pass pair, firefox/Chromium just fill out the form and you could press submit immediately. Palemoon don't fill in the form. You have to choose your username first from a selectbox (in this case there is only one option) and then you can press the submit button. If you do this before choosing you'll send an empty form.

I am not sure which is the best way. Because yours might be a bit more safe because I am forced to look what I do. On the other hand it was my decision to store this user/pass pair to make the login process more comfortable.

[Moonchild]

In principle this works everywhere. The difference between Palemoon and Firefox/Chromium is: if there is only one stored user/pass pair, firefox/Chromium just fill out the form and you could press submit immediately. Palemoon don't fill in the form.

This is on purpose, because automatically filling in login details can potentially lead to your credentials being stolen (by an injected script or DNS hijack, for example).
You can change this in preferences if you want to take that risk. See screenshot.
This was changed in Pale Moon deliberately to improve security - it's been a point of contention for mainstream browser users for many years but for the big vendors "user convenience at all costs" trumps all, apparently.

[struppi]

Thank you

I didn't noticed that because I save all my password since many, many years. So I fixed the checkbox "remember passwords" long time ago and never thought about new options. But when I noticed the difference, like I mention I see it also as an safety feature. For me it's not so important, because I use uMatrix (now eMatrix) and reject all Javascript actions on unknown sites.

And I totally agree with you, the "user convenience at all costs" paradigm is the cause of many security problems.

[Moonchild]

For me it's not so important, because I use uMatrix (now eMatrix) and reject all Javascript actions on unknown sites.

Ah, but that's the thing: in these scenarios you'll be dealing with known sites. On unknown sites you won't have your login data stored, after all...
Maybe you don't know but some attacks can hijack websites and make your browser go to an unintended server. While you might easily see it's not kosher, yourself, when you land there, the site can already have extracted the login details in the background if auto-filled. Since script blocking will be domain-based, this won't help you because the domain will be the correct one.

[struppi]

For me it's not so important, because I use uMatrix (now eMatrix) and reject all Javascript actions on unknown sites.

Ah, but that's the thing: in these scenarios you'll be dealing with known sites. On unknown sites you won't have your login data stored, after all...
Maybe you don't know but some attacks can hijack websites and make your browser go to an unintended server. While you might easily see it's not kosher, yourself, when you land there, the site can already have extracted the login details in the background if auto-filled. Since script blocking will be domain-based, this won't help you because the domain will be the correct one.

I block also block domain scripts by default and if there is no need I don't change it. And since this site, where it annoyed me, is my work login, is an institual page, if they are hacked they will shutdown everything.
And did it really make any differ if the site would be hacked and some script are injected?
they also could get your login data if you submit the form or when you press a key and I thing that's more common because the most people reject the storing of the login data anyhow

[Moonchild]

I don't want to get into a technical argument about opsec here; that's not the point. Just correcting one assumption here:

they also could get your login data if you submit the form or when you press a key

No, they can't. the whole point is that without auto-filling, page content does not have access to your credentials. It may integrate seamlessly with the pages you're visiting, but the credentials offered in those drop-downs are not part of the page; it's browser internals - and pages do not have access to that by definition.