- From: <bugzilla@jessica.w3.org>
- Date: Thu, 02 Oct 2014 18:03:02 +0000
- To: public-html-admin@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=26956
Bug ID: 26956
Summary: autocompletion=off shouldn't be used to protect
sensitive data
Product: HTML WG
Version: unspecified
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: HTML5 spec
Assignee: dave.null@w3.org
Reporter: memmie@lenglet.name
QA Contact: public-html-bugzilla@w3.org
CC: mike@w3.org, public-html-admin@w3.org,
public-html-wg-issue-tracking@w3.org
> "The "off" keyword indicates either that the control's input data is particularly sensitive (for example the activation code for a nuclear weapon);
— [4.10 Forms — HTML 5.1 Nightly Specs][1]
It's a user choice: to save or not the form data regardless its sensivity.
For password, in all major browsers ([Firefox 30][1], [Safari][3], [IE11][4],
Chrome) they no longer rely on `autocomplete` attribute to prevent passwords
being saved.
I still agree with using it for disable auto fill when an alternative is
provided or when the value will never be reused. But shouldn't use to "protect"
sensitive data.
[1]:
http://www.w3.org/html/wg/drafts/html/master/forms.html#attr-fe-autocomplete-off
[2]:
https://developer.mozilla.org/en-US/Firefox/Releases/30/Site_Compatibility#%3Cform_autocomplete.3D.22off.22%3E_no_longer_prevents_passwords_from_being_saved
[3]: http://lists.w3.org/Archives/Public/public-webapps/2013OctDec/1028.html
[4]: http://lists.w3.org/Archives/Public/public-webapps/2014JanMar/0015.html
--
You are receiving this mail because:
You are on the CC list for the bug.
Received on Thursday, 2 October 2014 18:03:04 UTC