sveltejs
Docs: Get rid of "Note that as a precaution, we only return the email back to the page — not the password" in the action docs
Describe the problem
See https://kit.svelte.dev/docs/form-actions#anatomy-of-an-action
There is a misleading note:
Note that as a precaution, we only return the email back to the page — not the password.
This is a shibboleth, IMO. There's nothing about a password (a wrong password, in this case) that makes it more vulnerable than any other bit of data. There's nothing that makes the server sending it back more vulnerable than the browser sending it to the server in the first place. If I'm wrong, then the note should say how. But assuming I'm right...
The implication is that none of the data passed between the server and the page is secure. That indeed may be the case. The site might be served over http. There maybe malicious code in the app or on the page. If so, the app has a bigger problem, and the note only imparts a false sense of security.
Some folks (used to?) obfuscate the type of login error, passing "login failed" rather than "account not found" or "wrong password." Perhaps that practice somehow got garbled into this?
Describe the proposed solution
Get rid of the note, or replace it with something useful, something like
In production SvelteKit apps should always be served over https. This will keep all data, including things like emails and passwords, secure between the server and browser.
Alternatives considered
No response
Importance
nice to have
Additional Information
No response
