[Bug 26956] New: autocompletion=off shouldn't be used to protect sensitive data

https://www.w3.org/Bugs/Public/show_bug.cgi?id=26956

            Bug ID: 26956
           Summary: autocompletion=off shouldn't be used to protect
                    sensitive data
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec
          Assignee: dave.null@w3.org
          Reporter: memmie@lenglet.name
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-admin@w3.org,
                    public-html-wg-issue-tracking@w3.org

> "The "off" keyword indicates either that the control's input data is particularly sensitive (for example the activation code for a nuclear weapon);
— [4.10 Forms — HTML 5.1 Nightly Specs][1]

It's a user choice: to save or not the form data regardless its sensivity.
For password, in all major browsers ([Firefox 30][1], [Safari][3], [IE11][4],
Chrome) they no longer rely on `autocomplete` attribute to prevent passwords
being saved.

I still agree with using it for disable auto fill when an alternative is
provided or when the value will never be reused. But shouldn't use to "protect"
sensitive data.

[1]:
http://www.w3.org/html/wg/drafts/html/master/forms.html#attr-fe-autocomplete-off
[2]:
https://developer.mozilla.org/en-US/Firefox/Releases/30/Site_Compatibility#%3Cform_autocomplete.3D.22off.22%3E_no_longer_prevents_passwords_from_being_saved
[3]: http://lists.w3.org/Archives/Public/public-webapps/2013OctDec/1028.html
[4]: http://lists.w3.org/Archives/Public/public-webapps/2014JanMar/0015.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Received on Thursday, 2 October 2014 18:03:04 UTC