During an external Pen-Test, it was observed that the login screen's password field for our SaaS product should be using AutoComplete="off".
We are using Azure AD B2C non-social accounts and custom policies; It is my understanding that the B2C mechanism injects its own content as a form into the div of the supplied template. Is it possible to influence the placement of this attribute? Customize the user interface with HTML templates in Azure Active Directory B2C
<!DOCTYPE html>
<html>
<head>
<title>My Product Brand Name</title>
</head>
<body>
<div id="api"> [[ INSERTED HERE ]] </div>
</body>
</html>
I have found references to modify the fields using client-side JavaScript, such as Azure B2C password field text and placeholder and Azure B2C Password field value visible button? but would prefer to avoid manipulating the DOM like this.
Note: I am aware that the guidance of AutoComplete="off" is that many of the browsers ignore the setting anyway, but I'm looking for an affirmative code change for compliance or a clear mitigation rationale.
