Re: [whatwg] Password managers ignoring autocomplete='off' harming security

On Wed, Oct 1, 2014 at 12:19 PM, Dan Poltawski <dan@moodle.com> wrote:
> Over the past few months all the browser vendors have moved towards
> ignoring autocomplete="off" with password fields.

> * The password managers are now all auto-filling these fields with
> passwords on the same domain and in many cases without the user even
> noticing (optional fields they wouldn't look at)

I was just reminded of this thread by a separate discussion that made
me look into Firefox's behavior with autocomplete="off" again. I think
I had an incorrect recollection of Firefox's behavior when I
originally replied. To be clear, recent Firefox has the following
behavior:

- autocomplete="off" is ignored when determining whether to prompt the
user to save a password after it is submitted
- autocomplete="off" is ignored when determining whether to autofill a
password in response to a user input (blur/tab/enter) in an associated
"username" field (determined heuristically)
- autocomplete="off" is NOT ignored when determining whether we should
automatically fill in a form when the page is loaded (without further
user interaction)

I had assumed your case was the third scenario, in which case
autocomplete="off" should still be effective. But perhaps you're
hitting the second case somehow. There may be ways for you to design
your forms to work around this issue.

(It may be best to just take this discussion off-thread, since this is
veering off-topic for the whatwg list.)

Gavin

Received on Tuesday, 14 October 2014 17:03:00 UTC