W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2014

Re: [whatwg] PSA: Chrome ignoring autocomplete="off" for Autofill data

From: Roger Hågensen <rescator@emsai.net>
Date: Fri, 14 Nov 2014 02:17:41 +0100
Message-ID: <54655835.90707@emsai.net>
To: whatwg@lists.whatwg.org
On 2014-11-13 20:20, Evan Stade wrote:
> Currently this new behavior is available behind a flag. We will soon be
> inverting the flag, so you have to opt into respecting autocomplete="off".
>

I don't like that browsers ignore HTML functionality hints like that.

I have one real live use case that would be affected by this. 
http://player.gridstream.org/request/
This radio song request uses autocomplete="off" for the music request 
because a listener would probably not request the same bunch of songs 
over and over.

Some might say that a request form should use a different input type 
like... well what? It's not a search input is it? There is no 
type="request" is it?
in fact the request field is a generic text field that allows a short 
message if needed.

PS! Please be aware that the form is an actual live form, so if you do 
enter and submit something be aware that there might be a live DJ at 
that point actually seeing your request.


Why not treat autocomplete="off" as a default hint so if it's off then 
its off and if it's on then it's on but allow a user to right-click (to 
bring up the context menu for the input field) and toggle autocomplete 
for that field.

I checked with Chrome, IE, Opera, Firefox, the context menu does not 
show a choice to toggle/change the autocomplete behavior at all (for 
type="text").

Also the reason the name field also has autocomplete="off" is simple, if 
somebody uses a public terminal then not having the name remembered is nice.
Instead HTML5's sessionStorage is used to remember the name.


Perhaps that could be a solution, that if autocomplete="off" is to be 
ignored by default then at least let the text cache be per session (and 
only permanently remember text  if autocomplete="on" ?).


Also do note that the type of field in this case is type="text".

Also, banks generally prefer to have autocomplete="off" for credit card 
numbers, names, addresses etc. for security reasons. And that is now to 
be ignored?


Also note that in Norway this month a lot of banks are rolling out 
BankID 2.0 which does not use Java, instead they use HTML5 tech.
And even todays solution (like in my bank) login is initiated by 
entering my social ID number, which is entered into a input field with 
the text with autocompelete="off".
Now my computer I have full control over but others may not (work place 
computer, they walk off for a coffee) and someone could walk by and type 
the first digit 0-9 and see whatever social id numbers had been entered.



(or did I missread what you meant with autofill here?)


--
  Roger "Rescator" Hågensen.
Freelancer - http://www.EmSai.net/
Received on Friday, 14 November 2014 01:18:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC