W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > January to March 2018

RE: Security of Autocomplete - Good News!

From: EA Draffan <ead@ecs.soton.ac.uk>
Date: Wed, 28 Feb 2018 09:05:39 +0000
To: John Foliot <john.foliot@deque.com>, WCAG <w3c-wai-gl@w3.org>
CC: "stommepoes@stommepoes.nl" <stommepoes@stommepoes.nl>
Message-ID: <7181A95B72F5B04C94BEF10CEC91E796B4C08AB3@SRV00047.soton.ac.uk>
I tested it in Edge, Chrome and Firefox and all seemed to work well. I use Chrome most of the time and the first form was completed fully after the first letter of my name was entered! Wonderfully speedy and the same worked in the secure version in Chrome.  The other two browsers required the entry of the first letter for each field before offering the correct options.

Best wishes

Mrs E.A. Draffan
WAIS, ECS , University of Southampton
Mobile +44 (0)7976 289103
UK AAATE rep http://www.aaate.net/<https://www.outlook.soton.ac.uk/owa/redir.aspx?C=WUwOCw_4FszLSzcUbkoFdDkad8-Q_GrRfPYUJ_ol5l2ebx78I2DUCA..&URL=http%3a%2f%2fwww.aaate.net%2f>

From: John Foliot [mailto:john.foliot@deque.com]
Sent: 27 February 2018 21:40
To: WCAG <w3c-wai-gl@w3.org>
Cc: stommepoes@stommepoes.nl
Subject: Security of Autocomplete - Good News!

Greetings all,

On today's call, I took the action to respond to Issue #775<https://github.com/w3c/wcag21/issues/775>. Before responding, I needed / wanted to do some basic testing myself.

I have created two forms that both include all 53 of the current @autocomplete tokens. The first form (https://john.foliot.ca/demos/autofill.php) uses input type="text" for all 53 inputs, and submitting the form echo's back the data being captured in the form fields. (Go ahead, give it a whirl.)

I have also created a second form, but this time I changed the bulk of the inputs to type="hidden" (I left the name-related fields as type="text", as most browsers and helper apps need at least "Name" to trigger the autocomplete functionality). The second form can be found at:   https://john.foliot.ca/demos/autofill_hidden.php

My basic testing confirms that when a field input is marked as "hidden", the autocomplete functionality is removed or otherwise disabled by the browsers to preserve user security. I have not done any further (advanced) testing, and so I cannot rule out the possibility of rogue sites using other scripted methods<https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/> to try and attempt to override this security feature. We likely need to add a comment in the Understanding document noting this fact (maybe?).

I am in need of testing assistance for the OSX platform, as well as iOS. If you care to help, please ping me off-line.

Based upon these test results, I will craft a response for Issue 775 later today.

John Foliot
Principal Accessibility Strategist
Deque Systems Inc.

Advancing the mission of digital accessibility and inclusion
Received on Wednesday, 28 February 2018 09:06:13 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:22 UTC