Re: [w3ctag/design-reviews] Eligibility for autofill (Issue #831) from Stephen McGruer on 2023-07-04 (public-webapps-github@w3.org from July 2023)

From: Stephen McGruer <notifications@github.com>
Date: Tue, 04 Jul 2023 08:04:00 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/831/1620413725@github.com>

(Chrome hat back on)

I'm interested to understand the TAG's concerns a little deeper. I can see three main scenarios where data-sharing may be a concern:

1. User initiates a fill on https://main-frame.example, and due to the shared-autofill permission policy proposed here, the browser fills some info down into fields in https://iframe.example (which the main-frame has given shared-autofill to)
  - To me this shouldn't be a concern, because nothing today stops https://main-frame.example from just hosting all the fields itself and then postMessaging the supplied data to https://iframe.example
2. User initiates a fill on a frame https://frame.example, and due to the same-origin autofill model proposed here, the browser fills across to fields in other https://frame.example frames (could be iframes, could be main frame).
    - To me this shouldn't be a concern, because these same-origin frames could just postMessage to each other anyway.
3. User initiates a fill on https://iframe.example, and for some less-sensitive info, the browser fills some data 'up' into fields on the main frame https://main-frame.example
    - I can see this being a concern, as that the user is technically sharing info with site A and the browser is silently sharing the data to site B
    - **However**, this seems like more of an 'iframes are generally scary' concern, in that as a user you basically never know if particular content (or a text input!) you see on a page is from the main site or an iframe it has embedded. The web roughly requires that you transitively trust the main-frame to not embed things that might try to trick you!
    - Put another way, we don't warn users when they type information into an input field that is inside an iframe, or just hit a keyboard key when an element inside an iframe has focus. This doesn't seem fundamentally different.


-----

As a side-note, to me there is also the practical consideration that autofill already exists today as a browser feature on multiple browsers, some of which are doing behavior like this. Autofill is also mostly un-specified and non-interoperable across browsers, which makes it opaque/difficult for website developers. Whilst it looks like fully standardizing it will be unlikely to happen (Apple have stated that they consider it a browser feature), I think it would be positive for website builders and the web if we could standardize at least some sub-part of the behavior for them to rely on!


-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/831#issuecomment-1620413725
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/831/1620413725@github.com>

Received on Tuesday, 4 July 2023 15:04:05 UTC