W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2014

Re: [whatwg] Password managers ignoring autocomplete='off' harming security

From: Gavin Sharp <gavin@gavinsharp.com>
Date: Tue, 14 Oct 2014 10:02:29 -0700
Message-ID: <CAHBT5m0uDbkDzVJA00foUGO0n5Hj2oYnPUsyRzGDo5HD9Ow5Pw@mail.gmail.com>
To: Dan Poltawski <dan@moodle.com>
Cc: whatwg <whatwg@lists.whatwg.org>
On Wed, Oct 1, 2014 at 12:19 PM, Dan Poltawski <dan@moodle.com> wrote:
> Over the past few months all the browser vendors have moved towards
> ignoring autocomplete="off" with password fields.

> * The password managers are now all auto-filling these fields with
> passwords on the same domain and in many cases without the user even
> noticing (optional fields they wouldn't look at)

I was just reminded of this thread by a separate discussion that made
me look into Firefox's behavior with autocomplete="off" again. I think
I had an incorrect recollection of Firefox's behavior when I
originally replied. To be clear, recent Firefox has the following
behavior:

- autocomplete="off" is ignored when determining whether to prompt the
user to save a password after it is submitted
- autocomplete="off" is ignored when determining whether to autofill a
password in response to a user input (blur/tab/enter) in an associated
"username" field (determined heuristically)
- autocomplete="off" is NOT ignored when determining whether we should
automatically fill in a form when the page is loaded (without further
user interaction)

I had assumed your case was the third scenario, in which case
autocomplete="off" should still be effective. But perhaps you're
hitting the second case somehow. There may be ways for you to design
your forms to work around this issue.

(It may be best to just take this discussion off-thread, since this is
veering off-topic for the whatwg list.)

Gavin
Received on Tuesday, 14 October 2014 17:03:00 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 17:00:24 UTC