W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2014

Re: [whatwg] PSA: Chrome ignoring autocomplete="off" for Autofill data

From: Evan Stade <estade@google.com>
Date: Thu, 13 Nov 2014 23:02:21 -0800
Message-ID: <CAO4XGS-7gD3H7QfJQvvw2HtmUR8OeLfhJdUM2qyBg=0H_MvQJw@mail.gmail.com>
To: rescator@emsai.net
Cc: whatwg@lists.whatwg.org
On Thu, Nov 13, 2014 at 5:17 PM, Roger H├ągensen <rescator@emsai.net> wrote:

> On 2014-11-13 20:20, Evan Stade wrote:
>
>> Currently this new behavior is available behind a flag. We will soon be
>> inverting the flag, so you have to opt into respecting autocomplete="off".
>>
>>
> I don't like that browsers ignore HTML functionality hints like that.
>
> I have one real live use case that would be affected by this.
> http://player.gridstream.org/request/
> This radio song request uses autocomplete="off" for the music request
> because a listener would probably not request the same bunch of songs over
> and over.
>

autocomplete="off" will still be respected for autocomplete data. This
should cover your use case.


> Also the reason the name field also has autocomplete="off" is simple, if
> somebody uses a public terminal then not having the name remembered is nice.
>

Only the user can figure out if they're at a public terminal.


>
> Also, banks generally prefer to have autocomplete="off" for credit card
> numbers, names, addresses etc. for security reasons. And that is now to be
> ignored?
>

I'm not sure what security threat is addressed by respecting
autocomplete="off".


>
>
> Also note that in Norway this month a lot of banks are rolling out BankID
> 2.0 which does not use Java, instead they use HTML5 tech.
> And even todays solution (like in my bank) login is initiated by entering
> my social ID number, which is entered into a input field with the text with
> autocompelete="off".
> Now my computer I have full control over but others may not (work place
> computer, they walk off for a coffee) and someone could walk by and type
> the first digit 0-9 and see whatever social id numbers had been entered.
>

This is also autocomplete, not Autofill (in Chrome parlance).
Received on Friday, 14 November 2014 07:02:46 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC