Due to a recently discovered vulnerability in some browsers, password input fields and iframes loading external content must now set the spellcheck attribute to false. Some browsers with an enhanced spellcheck feature send password data to unintended sources if password unmasking is enabled (the “show password” checkbox next to a password box).
To avoid accidental disclosure, the best practice is to disable spellcheck for all password fields and iframes regardless of "Show password" options.
A team consuming our self-hosted visitor API package was issued an internal application security ticket because there were insecure iframe elements detected on their web pages that were actually being created by the package.
To fix it, we added a new attribute to the iframe spellcheck and set it to false.
The scope of this post is to recommend that iframes be sanitized with a `spellcheck="false"` flag in visitor API package.