W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2014

Re: [whatwg] PSA: Chrome ignoring autocomplete="off" for Autofill data

From: Glenn Maynard <glenn@zewt.org>
Date: Thu, 13 Nov 2014 19:49:54 -0600
Message-ID: <CABirCh_GXYxbs+nWWV_BLEE3_oR48JZmNddcRjBGqqbe4x-5DQ@mail.gmail.com>
To: Roger H├ągensen <rescator@emsai.net>
Cc: whatwg <whatwg@lists.whatwg.org>
On Thu, Nov 13, 2014 at 7:17 PM, Roger H├ągensen <rescator@emsai.net> wrote:

> On 2014-11-13 20:20, Evan Stade wrote:
>
>> Currently this new behavior is available behind a flag. We will soon be
>> inverting the flag, so you have to opt into respecting autocomplete="off".
>>
>>
> I don't like that browsers ignore HTML functionality hints like that.
>

It's not ignoring hints, this is just removing a bad feature.  One of the
most common irritants of day to day browsing is pages disabling form
autocomplete and password management, and making me enter everything by
hand.  It's working extremely poorly in the real world.

I have one real live use case that would be affected by this.
> http://player.gridstream.org/request/


Unfortunately, even if a couple pages have a legitimate use for a feature,
when countless thousands of pages abuse it, the feature needs to go.  The
damage to people's day-to-day experience outweighs any benefits by orders
of magnitude.


> This radio song request uses autocomplete="off" for the music request
> because a listener would probably not request the same bunch of songs over
> and over.


(The use case doesn't really matter to me--the abuse is too widespread--but
this is wrong.  If I request a song today, requesting it again tomorrow or
the next day is perfectly natural, especially if my request was never
played.)


>  Also, banks generally prefer to have autocomplete="off" for credit card
> numbers, names, addresses etc. for security reasons. And that is now to be
> ignored?


Yes, absolutely.  My bank's preference is irrelevant.  It's my browser, not
my bank's.  This is *exactly* the sort of misuse of this feature which
makes it need to be removed.


> Also the reason the name field also has autocomplete="off" is simple, if
> somebody uses a public terminal then not having the name remembered is nice.
>

This is another perfect example of the confused misuse of this feature.
You don't disable autocompletion because some people are on public
terminals--by that logic, every form everywhere would always disable
autocomplete.  This must be addressed on the terminal itself, in a
consistent way, not by every site individually.  (Public terminals need to
wipe the entire profile when a user leaves, since you also need cache,
browser history, cookies, etc.)

-- 
Glenn Maynard
Received on Friday, 14 November 2014 01:50:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC