- From: Lachlan Hunt <lachlan.hunt@lachy.id.au>
- Date: Sat, 12 Mar 2005 22:54:28 +1100
Hi, I realise I may be a little late with this issue, since WF2 seems to be fairly stable, but never the less I would like to note my objection to the inclusion of the autocomplete attribute [1]. Because autocomplete is a user agent feature designed to assist the user with filling out forms, the decision for whether or not to use it should lie with the user. You should also keep in mind that a user agent should act on behalf of the user at all times. As a user, I depend on this functionality (including password managers) to help remember various login names and passwords used for each site, and to help type address details, e-mail addresses, URIs and any other commonly entered values. As a user, I also get to choose where and when such information is remembered by my user agent, which is the purpose of the 'Do you want to remember these values?' dialog for which I (or any other user) can answer "yes", "no", "never for this site" or any other option provided by the user agent. The autocomplete attribute essentially gives this control to the author of the document, rather than the user; and enabling or disabling any user agent feature without the *user's* consent is a very user-hostile act, which I will not tolerate. Any user agent that obeys a directive from a web page to disable a feature designed for the user is no longer acting on behalf of the user, but rather on behalf of the author! # Support for the attribute must be enabled by default, and the # ability to disable support should not be trivially accessible, # as there are significant security implications for the user if # support for this attribute is disabled. While it may be true that there are security implications if a user agent remembers sensitive information, I strongly disagree with the recommendation that the ability to disable the feature should not be trivially accessible. A user agent should be able to make any options available to the user and such decisions should remain with the user agent vendor, not with this or any other specification. # Banks frequently do not want UAs to prefill login information: That may be so, but that still does not give a bank (or other organisation) the right to enforce such policies in my user agent. Personally, I regularly make use of autocomplete to remember my account login number on my personal computer and although I would not make the same decision on a public computer, it is *my choice* to do so; regardless of any guideline suggested by the organisation. The security concerns of this user agent feature should be addressed by the user agents, not this or any other document markup language specification. Please consider removing (or at least deprecating) this proprietary attribute which should not be used by an author under any circumstances. (I do realise that this attribute is already supported by most UAs, but luckily it is not widely used by any of the sites I frequently access and I hope that will not change in the future.) [1] http://www.whatwg.org/specs/web-forms/2005-01-28-call-for-comments/#the-autocomplete -- Lachlan Hunt http://lachy.id.au/ http://GetFirefox.com/ Rediscover the Web http://GetThunderbird.com/ Reclaim your Inbox
Received on Saturday, 12 March 2005 03:54:28 UTC