RE: Issue 948 SC 1.3.5 Identify Input Purpose - autocomplete technique VS Privacy/Security

Hi Jason,

That’s a slightly different issue, and one that has been raised and answered previously:
https://github.com/w3c/wcag21/issues/590#issuecomment-359288754


It generated a bug on HTML, which was resolved by including in HTML5.3(?) that “User agents should verify that all fields with the [autocomplete] attribute  wearing the <a>autofill expectation mantle</a> are visible within the viewport before automatically entering data.”
https://github.com/w3c/html/issues/1285


Adding a note is fine, I think it would be most appropriate on the technique for autofill.

However, I’m not sure what it would say as we don’t currently have an alternative (accessibility supported) technique to propose. So it would basically say: Use this technique, but just so you know here are some privacy & security issues with it… but you still have to use it.

One of the issues is something that the user-agents will have to tackle regardless of WCAG 2.1, and this latest one doesn’t really seem to be an issue.

Is it worth a note?

-Alastair


From: White, Jason J

Safari under Mac OS doesn’t complete form fields unless I move focus to the field and explicitly choose to invoke the automatic completion.

I don’t know whether other browsers will follow this example. Privacy concerns associated with autocomplete have surfaced recently, focusing on exploitation by third-party tracking scripts associated, presumably, with advertising.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/


It should be noted that, as emphasized in the article, the feature is working as designed – there’s no hitherto unknown vulnerability here.

I would suggest including the “autocomplete” technique as planned, but adding a note (if it isn’t already in the draft) on its privacy and security implications.
________________________________