Back to the Recovery Room
Security

What Data a Form Recovery Extension Should Never Touch

Transparency is key. Here is exactly what data Form Recover ignores to keep your private information safe.

MH
3 min read

A form recovery extension is designed to be your safety net, catching the text you type so you never lose a draft again. But a safety net shouldn’t be a fishing net—it shouldn’t just grab everything in its path.

To remain secure, a well-designed extension must have strict boundaries. At Form Recover, we believe there are three specific “No-Fly Zones” that an extension should never touch.

1. Password Fields (type="password")

This is the most obvious rule, but also the most critical. Any extension that attempts to save data from a field where the characters are obscured (dots or asterisks) is a security risk.

Why it matters: Passwords should only ever be handled by dedicated, audited password managers or the browser’s own credential store. A form recovery tool should ignore these fields entirely to ensure your primary “keys to the kingdom” are never sitting in a draft history.

2. Payment Information (Credit Cards & CVVs)

When you’re checking out on an e-commerce site, you’re entering highly sensitive financial data.

The “No-Touch” Rule: A secure extension should automatically ignore fields with attributes like cc-number, cc-exp, cc-csc, or any input that looks like a credit card number. Even if the site doesn’t label them correctly, a smart extension looks for patterns that indicate financial data and stays away.

The Verdict: If you lose your connection while entering your credit card, it’s better to re-type the 16 digits than to have those digits stored in a local history database.

3. Hidden Inputs and Tokens

Websites often use “hidden” fields (type="hidden") to store CSRF tokens, session IDs, or tracking pixels. These aren’t things you “type,” but they are part of the form data.

Why we ignore them:

  • Irrelevance: You don’t need to “recover” a session token; you need to recover your 500-word product review.
  • Security: Session tokens can sometimes be used for “session hijacking” if they fall into the wrong hands. By ignoring hidden fields, we ensure that only the content you created is what gets saved.

How Form Recover Handles Privacy

We don’t just “hope” we don’t save this data; we’ve built the extension to be blind to it by default.

  • Type Filtering: We explicitly exclude input[type="password"], input[type="hidden"], and sensitive input[type="number"] fields.
  • Heuristic Analysis: We check for common IDs and class names (like “cvv”, “card-number”, “ssn”) to proactively ignore them.
  • User Control: You can always blacklist specific websites where you deal with sensitive data, giving you the final say over your privacy.

Conclusion

The goal of form recovery is to save your work, not your secrets. When choosing a tool to protect your productivity, make sure it’s smart enough to know what to ignore.

Privacy isn’t just about what you save—it’s about what you choose to leave alone.

#Security #Privacy #Design
Share this
The airbag for your browser