Issue 914451: Autofill does not respect autocomplete="off" (opens in new tab)

(bugs.chromium.org)

820 pointsbullman6y ago367 comments

367 comments

A few years ago, I left a $1000 tip at the restaurant up the street because Chrome filled out the tip field with my zip code (which thankfully merely defaulted to max $1000 instead). The tip field was off-screen, and the ordering software didn't have a confirmation screen, just a "we just charged your card $X amount" screen, which made my eyes boggle.

EDIT: Looking at the original March 17th, 2015 bug, it would have been at exactly around that time...In fact, checking my emails, this happened on March 18th, 2015. I had ordered from them several times before this with no problems (they used "chownow.com" for their ordering backend).

dmethvin6y ago

This has a lot of really serious implications. I built a form for a charity that allowed users to buy a subscription but include an additional donation amount. Chrome was sometimes filling that field with the two-digit year. The charity got a lot of complaints and it ruined the trust relationship with the donors who didn't understand what was happening and thought it was intentional.

mikorym6y ago

Chrome has other behaviour that I think violates a sort of trust relationship. One of which is that Youtube would ask you "do you want to install Chrome"? Almost as if your current browser is not "what you need to access Youtube". This is especially a problem for elderly people who often use the web but don't really understand how things fit together (the way 5 year olds actually do).

2 more replies

15709494369706y ago

Fun fact: something similar once happened in production in the early days of an iPad-based point of sale startup.

In certain cases, a previously-entered zip code was interpreted as the number of cents to tip.

userbinator6y ago

The tip field was off-screen

I wonder how much the [1] hiding of scrollbars and [2] UIs with excessive amounts of whitespace, increasing the need to scroll also contributed to you making this error.

jbeales6y ago

We have trouble in our org with autofill on our New Customer forms. Depending on the browser it can be very difficult to remove the saved autocomplete values.

mehrdadn6y ago

(How) did you resolve this?

1 more reply

sedatk6y ago

How do you pay with Chrome at a restaurant?

Scoundreller6y ago

Probably for pickup or delivery.

carstenhag6y ago

As I had already commented on the issue, it completely breaks Germany's main train ticket selling website:

https://i.imgur.com/BjYTgSn.png

They have tagged the field as autocomplete=off but Chrome just doesn't care.

Also see this linked issue where they collected valid use cases for autocomplete=off. They just seem to ignore 452 use cases (I can't comment on the quality of them, I did not read any).

https://bugs.chromium.org/p/chromium/issues/detail?id=587466

obituary_latte6y ago

OT: direct link bypassing imgur’s horribly hostile UX https://i.imgur.com/BjYTgSn_d.jpg?maxwidth=1640&shape=&fidel...

watwut6y ago

Imo, valid use case for autocomplete=off is "the developer of webapp wants it".

Literally that and nothing more.

Nitramp6y ago

It's called "user agent", not "developer's agent". We'd be in a terrible situation if the browsers just followed developer's whims. Cf. popup blocking.

7 more replies

klmr6y ago

Unfortunately a few developers are morons who misuse features, and browser vendors try hard to work around them. Case in point, lots of websites used to put `autocomplete="off"` on password boxes, which breaks some password managers. IIRC that’s why Chrome (and other browsers) decided to sometimes ignore the `autocomplete` attribute in the first place. Of course that doesn’t justify ignoring it completely (just for password fields) but maybe a similar reason is at play.

3 more replies

wdr16y ago

What if the user doesn't?

Rexxar6y ago

It's the same meaning but I would prefer "just follow the specification an let developer decide what they want"

atVelocet6y ago

Finally i know why this happens only in Chromium. This irritates me for quite some time now...

Seems that Chromium based browsers aren't favorable any more: Tracking, Bugs, uBlock extension is flagged, Manifestv3, etc.

But Firefox has the same problem since it ships with Pocket and other sync stuff. I know that they really do care but they have problems of their own which really make me think which browser to use. The actual situation right now is very frustrating...

phyzome6y ago

Pocket and sync are opt-in and seem pretty tame compared to the stuff in Chrome, just saying...

breakingcups6y ago

I use Firefox as my main browser on all my machines and haven't once been bothered about Pocket or other sync stuff. I vastly prefer it, for moral and technical reasons. I feared the switch from Chrome would be very hard and aggravating but it wasn't.

(The only thing that got me the first few weeks is that opening an incognito window is ctrl+shift+p instead of ctrl+shift+n. Once I got used to that I realized it actually makes sense because ctrl+shift+n re-opens a closed window just like ctrl+shift+t reopens a closed tab.)

1 more reply

lqet6y ago

Can anyone explain why the same behavior does not occur on https://www.sbb.ch/, the Swiss equivalent (which is based on the same software by HaCon)?

E: as soon as you submit a search on sbb.ch, the same problem occurs.

subroutine6y ago

Did you try using a first-letter of a location you commonly use in forms? Here is what mine looks like when I use 'm' (like OP):

https://i.imgur.com/NlzVqhT.png

and here's what it looks like when I enter 's':

https://i.imgur.com/1u4Iy7S.png

(actually, S does not autocomplete in the Swiss site)

2 more replies

carstenhag6y ago

Also occurs there. See https://imgur.com/a/4K73twK

lone_haxx0r6y ago

In general, I don't like software defaulting to convoluted "grandpa-friendly" behavior instead of the simple, no-bullshit behavior. Moreover, if you want the simple, sane behavior you're a weirdo and need to justify yourself.

Another example of this is chrome hiding "trivial" parts of the URL. i.e. any subdomain that coincides with "www" or "m".

takeda6y ago

I'm guessing chrome ignores, it because people often place the option when they shouldn't. I don't understand why browsers can't simply respect setting and perhaps provide option for the user to modify behavior per site per field with ability to save. They could go even step further and do what Opera used to do i.e. provide same defaults for most popular sites.

jmkni6y ago

I had this issue the other day, I solved it by generating a GUID each time the page loads and appending it onto the end of the ID.

Not ideal, but worked!

sandstrom6y ago

This has turned into a sad chicken-race between Google and developers, with lots of innovative workarounds on Stackoverflow.

Their tactic of overruling web developers doesn't work, it only make things more complicated for everyone, since many of the workarounds have other negative side-effects.

https://stackoverflow.com/questions/12374442/chrome-ignores-...

    ## Example 1

    For a reliable workaround, you can add this code to your layout page:

    <div style="display: none;">
     <input type="text" id="PreventChromeAutocomplete" 
      name="PreventChromeAutocomplete" autocomplete="address-level4" />
    </div>

    Chrome respects autocomplete=off only when there is at least 
    one other input element in the form with any other autocomplete value.



    ## Example 2

    Simply make your input readonly, and on focus, remove it. This is a very 
    simple approach and browsers will not populate readonly inputs. 
    Therefore, this method is accepted and will never be overwritten by 
    future browser updates.

    <input type="text" onfocus="this.removeAttribute('readonly');" readonly />

    Style your input accordingly so that it does not look like a readonly input.


    ## Example 3

    Tell Chrome that this is a new password input and it won't provide 
    old ones as autocomplete suggestions:
    <input type="password" name="password" autocomplete="new-password">

obituary_latte6y ago

I think it mentioned chrome is even now ignoring ‘display:none’ and ‘visibility:hidden’ declarations so those workarounds no longer work either.

msclrhd6y ago

Great! :( Now I need to recheck to see if an autocomplete bug has reappeared where it thinks an email address field is a username field in a change password UI and autocompletes the email address with the username from the login page.

Sigh!

1 more reply

identity06y ago

Why would they ever do that. That’s just asking for autofill phishing.

scient6y ago

Preach. Them changing the rules and overriding the usage of this attribute is ridiculously stupid in the first place. HTML attributes are there for a reason, developers are supposed to be able to use them and they are supposed to work as expected. But in order to push their password management and form filling functionality, they just give everyone a finger.

pas6y ago

At the same time many many many dumb corp-o-rat shit sites disable autocomplete because cOmpLiEncE. And users love autocomplete...

Naturally the problem is choice. Chrome/G should show a button to auto fill fields.

They could simply unleash some AI magic, train a network to recognize good and bad sites, etc. (Aka. the Apple way. As they also have a we know better policy, and users seem to love that.)

EugeneOZ6y ago

I haven't tried it, but maybe div with "contenteditable" could help?

notatoad6y ago

This is what I resorted to on one of our internal tools that wants a phone number to be entered and kept getting auto-completed with our staff'S phone numbers.

I wouldn't recommend it for public use. There's a lot of subtle behaviour around an input field that you'd need to replicate manually.

clairity6y ago

> “ This has turned into a sad chicken-race...”

great dash use! i almost read that as a race of sad chickens (seriously) but the dash autocorrected me. bravo!

jchw6y ago

Because other people here are throwing in their frustrations, I will at least add that on the flip side I have been frustrated by sites that attempt to disable autofill for illegitimate reasons, like attempting to disallow password managers. I think I understand where this is coming from.

On the other hand, I, too, have been bit by this at least once, in the past. I think it was easier to just disable it at that time, but IIRC, the solution we landed on was to not use form controls at all but switch said text controls over to use content-editable elements. In our case it made sense, since it was not a form at all. My memory could be a bit hazy here, though.

(I do not work on Chrome or use Chrome at home, but as disclosure I do currently work at Google.)

gnud6y ago

Chrome explains in their security FAQ [0] why they don't adhere to autocomplete=off for password fields.

They could still follow it for other fields.

0: https://chromium.googlesource.com/chromium/src/+/master/docs...

kevincox6y ago

Of course then websites will just stop using password fields and that is awful for security and convinced.

kerng6y ago

Shouldn't the work on changing the spec, rather then confusing majority of developers and causing even financial loss and embarrassment for many? This thread is filled with cases where this caused issues.

Google should spend their cycles to work on a standard for password managers. The current design of those is flawed anyway.

anoncake6y ago

I think we need a way to disable features only for those developers that abuse them. Like uMatrix but built-in and with rules being supplied automatically as ad blocking lists are.

You autocomplete=off a password field? That attribute won't have an effect on your site anymore.

You auto-play videos when the user doesn't expect it? What videos? The web doesn't support videos – as far as you are concerned.

Scroll hijacking? I hope you used progressive enhancement because you just lost your Javascript privileges.

Roritharr6y ago

This is actually a reasonable proposal. A moderate list could be an in-built feature, with some config options.

1 more reply

basch6y ago

I asked if something similar was coming to Brave, and the answer was yes. Opera maintained what i believe was a somewhat community powered site patching repository back in the Presto days.

https://news.ycombinator.com/item?id=20831774

msclrhd6y ago

Can we have a reliable cross-browser way to say "this is a change password field, so don't autocomplete it" and "this is an email address field not a username field, so don't autocomplete it with the login username"?

4 more replies

anticensor6y ago

I even found a name for such an extension: PunishIt.

doctorpangloss6y ago

Disabling autocomplete is so incredibly frustrating that I ran an extension in Safari to remove the off tag from sites. Of course I want to use KeyChain, the whole point is that touch based ID is more secure.

Nitramp6y ago

I have my own extension for Chrome that yanks the autocomplete attribute. I much rather deal with over eager completion than websites disabling it for silly reasons and pseudo security.

httpsterio6y ago

Touch based are not better. Your fingerprint is not a password, it's just an identifier and shouldn't be treated as a secret.

2 more replies

cdubzzz6y ago

We recently had to go through a website project and disable autocomplete on all password fields after a security scan as part of a PCI compliance process. For autofill password it didn’t seem to have any effect in _any_ browser I tested in. How can it be used to thwart password managers?

driverdan6y ago

Why would you need to disable autocomplete passwords for PCI compliance?

1 more reply

ss30006y ago

Setting aside the merits/lack-thereof of this particular decision, Chromium ignoring established web standards like this is especially dangerous as we're trending towards a world where 1) Chromium itself powers the most popular browser in the world by an increasingly unhealthy margin, and 2) even competing browsers are increasingly becoming skins on top of Chromium.

We are becoming more and more reliant on the developers of Chromium to be steadfast stewards of the standardization process. Their massive influence means that any deviation from actual web standards on their part will inevitably create a new and conflicting de-facto standard that will create decades of lasting damage and irreversible tech debt for the entire web (eventually leading to a repeat of the IE6 dark ages).

Decisions like this demonstrate an utter disregard for the crucial role Chromium plays in the web standardization process, and jeopardizes the entire ecosystem.

ss30006y ago

W.r.t. this particular decision, I feel a more reasonable approach here might have been to allow users to manually trigger autocomplete on individual fields with `autocomplete="off"`, and/or to allow users to strip away the ability to disable autocomplete on a site by site basis.

Analogously to how users are able to selectively grant access to certain default-off features for each website (notifications, camera access), users should also be able to revoke access to certain default-on features for sites that abuse them without affecting the vast majority of sites that use the features for their intended purposes to create a better user experience.

jjcm6y ago

This isn't even the first time we've seen this either. Both Chrome Mobile and Safari Mobile go against the standard and implement `vh` incorrectly.

Honestly it seems strange that they go against the standard though considering how much power they have in defining it. Why break from the standard when you can just update the standard. It ends up being the worst of both worlds - documentation that says one thing (that they had a hand in building) and an implementation that does something completely different.

chrismorgan6y ago

Admittedly, the viewport units are just all-round badly thought out and fundamentally broken. (The corresponding problem with vw is that the viewport units includes viewport scrollbars, so that on a page with vertical scrolling, `width: 100vw` will cause horizontal scrolling on platforms where the scrollbars take space.)

1 more reply

Natanael_L6y ago

All browsers on iOS are Safari wrappers

1 more reply

ko276y ago

Strictly speaking, Chrome is not ignoring a web standard, since the standard does not require this behavior (no "MUST" keyword).

obituary_latte6y ago

Well they are ignoring hundreds if not thousands of developers which is the main issue at this point.

3 more replies

dwb6y ago

That depends entirely on your interpretation of RFC 2119 in this context – whether you consider Google to have "valid reasons" or not. It's not an objective or inarguable issue.

ss30006y ago

Point taken. Maybe in this case the spec authors were also at fault for leaving too much leeway in the implementation.

Nevertheless, from their stance on the issue so far it stands to reason that the Chromium team would have objected to any efforts to tighten the spec, which would also have led us to this same situation.

azernik6y ago

I ran into this last week (with LastPass, not Chrome - this seems to be a common practice):

I have a form where users enter information about their suppliers (I make restaurant management software). This includes a field for the contact email address, which LastPass was autofilling the email address the user used to log in. This happened silently, quickly enough that users wouldn't notice it on page transition, and would overwrite the initial value. Even with autocomplete=off.

This was a DATA LOSS bug - users would load the page, make a few changes, save, and not notice that they'd lost the email address they'd stored for the supplier. Fortunately LP has a method to force disabling of autofill (data-lpignore=on), but this could have all been avoided if they'd followed the spec I was relying on. I still don't know if some other password manager, maybe built in to Firefox or something, will make the same mistake, haven't had time to check yet.

iforgotpassword6y ago

Similar thing at my last job. Some internal webapp that was communicating with a bunch of other services. Whenever you edited the connection to such a backend you'd get a bunch of settings to change, as well as - depending on the backend type - credentials to talk to that other service. So if you were saving your credentials to that web app, whenever you edited such a backend connection, it would overwrite the username and password field in that settings page with your credentials for the web app itself. Even though the fields were pre-filled with the current values in the html the server sent you, chrome just went ahead and replaced them on page load. It happened more than once someone accidentally saved the settings and replaced the actual credentials for the backend with their login credentials for the webapp. So anyone accessing that edit page afterwards could steal their coworkers password.

So at some point a colleague went ahead, found the template and added a fake username and password field at the very beginning of the form that had something like "position: absolute; top: -2000" (after an hour of failed attempts with the autofill attribute and using hidden fields and whatnot).

So yes, f*ck those Google devs on their high horse.

notatoad6y ago

The LastPass on is especially horrific because it fills in fields that are already filled, and it fires a change event. So if you're auto-saving on a change event, that data is lost as soon as the page is loaded.

kerng6y ago

The entire design of password managers that hijacking the DOM is flawed.

1 more reply

Geeflow6y ago

As a user, Chrome's autocomplete went down the drain for me once they started to fill all fields at once. I tried to autocomplete one field and often chrome filled the other fields with unfitting data. This happened so often that I started to manually complete fields even if autocomplete was available. I still miss the good old times[tm] of single-field autocomplete...

(And for the record: As a developer, I have been bitten by Chrome ignoring autocomplete="off" as well.)

megous6y ago

Yup, I like how FF does it. I basically just do a repeated sequence of:

TAB -> Arrow Down (select one of the previously filled values I've used) -> Enter

When filling a form. Given that sometimes we order things on made up names, it's quite useful no to have that autofilled when we're not wanting to.

stefan_6y ago

This is a bit of a missing perspective. I wouldn't even care about them not following autocomplete=off if the damn autocomplete was useful. Instead 90% of the time I'm fighting it.

They really, really need to stop trying to autocomplete entire forms, and probably not anything other than "user/password" forms. The whole 'look at this input id and match it to a bunch of categories' approach has been thoroughly debunked as useless.

TekMol6y ago

I guess this will lead to a horrible coding style where instead of having this in the form:

    <input name="email">

We will see stuff like this:

    <input name="16fkr9547kancot944128sddfksdf934998aafccugt75">

Where developers use some type of abstraction that generates a random id for each field and then assigns it to the original value server side or in javascript.

Just like they already randomise asset filenames to avoid caching.

wiredfool6y ago

I’m doing this with a field where I provide server side autocomplete of an item. It sucks, but I can’t find a better workaround.

masklinn6y ago

MDN literally mentions jquery.disableAutoFill which basically does that for you under the cover (scrambling the name on display, and unscrambling on submission).

StavrosK6y ago

Your comment about randomizing filenames got me thinking. It would be great if we could add a cache key to the HTML element, that way we could cache everything forever with the same filenames and still invalidate things by just making the key being the SHA of the deploy. Too bad that's not a thing.

jstanley6y ago

That is a thing already!

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

1 more reply

ProfSarkov6y ago

It's like Internet Explorer 6 all over again. SAD.

donatj6y ago

lol, years and years ago (like 2005) as an attempt at stopping XSS and CSRF attacks and bots I came up with a system that named all the inputs a salted MD5 of the intended name with the salt randomly generated then stored in the users server side session.

It’s still a reasonably effective solution for CSRF, though there are much simpler options, but today’s bots largely have cookie jars so you will likely need a CAPTCHA.

Thorrez6y ago

How would it stop XSS? Is it meant to stop attackers from getting JS execution on your site, or to mitigate the attackers' abilities after they have JS execution? I don't see how it would do either.

2 more replies

xg156y ago

> Just like they already randomise asset filenames to avoid caching.

But why? Isn't the whole point of caching to improve delivery if static assets?

Did they run into staleness problems? Then why not use if-modified-since/if-none-match?

noselasd6y ago

You are assuming browsers(there are many more than chrome&ff) ,proxies, etc. do caching correctly.

1 more reply

mxxx6y ago

Yep. We recently noticed this problem after renaming form fields for the purpose of accessibility (screen readers)

VMG6y ago

Autofill for offscreen elements gives me the creeps even without the data getting misinterpreted

dmix6y ago

This is why form elements should never be hidden after loading. Display none should be the default in the HTML for non-relevant content, which should be enough for most autofillers. It also prevents flashing of content when autofillers try to populate it, causing the hiding to delay, which I recently saw in a production app.

Frameworks like React and Vue don’t even render the HTML into the DOM until conditions are met so the situation is improving.

Another positive step away from jQuery hackery!

pantalaimon6y ago

If you want to be malicious and capture wrong auto fill data, wouldn't a simple AJAX request on change be enough to capture sensitive data before the user gets a chance to correct it?

2 more replies

meredydd6y ago

If you think late rendering or "display:none" will put Chrome off, think again! The anvil.works IDE is Angular, so it's all rendered post-loading, and Chrome still autofills the weirdest things. Relentlessly.

Search boxes? Sure! App titles? Yeah, one week a bunch of our users' apps got renamed to the author's email address.

Being an IDE, of course, there are lots of places where inserting random text will break things. When I open up the console and see it filled with "'meredydd@anvil.works' is not a valid Python identifier"? That's the signal to go hunting for which dynamically-generated off-screen text box Chrome is stuffing credentials into this week.

TL;DR Chrome's autofill is out there. It can't be bargained with. It can't be reasoned with. It does not feel pity or remorse. And it will not stop.

yk6y ago

That begs the question, at which point does autofill happen in an iframe? So I pay for an ad, and have a password, creditcard number, address etc. form in the background. Does the browser autofil, or does it autofill when the user starts to fill in a form in the foreground?

Asking for a friend.

1 more reply

throwaway_bad6y ago

And worse part is that autofill still works in incognito.

TazeTSchnitzel6y ago

Oh yes. I seem to recall it was demonstrated as a way to covertly steal user information from the browser a while ago.

Hamuko6y ago

Haven't browsers already done changes to combat that?

sky_rw6y ago

Curious as to the global business impact this has had. I personally have spent at least a dozen hours debugging forms and trying to disable autocomplete/autofill on my kiosk-based applications. How many development hours collectively have been wasted on this unilateral decision.

I have not been this frustrated since the days of writing css for ie6, and at least back then the devs response was more "sorry its our rendering engine" and not battre just saying GFY seemingly out of disdain.

I try to be as free-market as possible but I sure wish that the w3c had some teeth when it came to things like this.

sundbry6y ago

You're not the only one. I remember spending a good two days on it this year for a page where the user puts in their credentials for external integrations.

albertzeyer6y ago

Btw, at http://google.com, this is what they have for the search field:

carstenhag6y ago

Does anybody have a clue why it does not show up there? The Google team must have done something in order to circumvent what the Chrome team did. Horrible.

goatinaboat6y ago

Overall, I still believe that neither of the extreme strategies ("always honor autocomplete=off"

Is it “extreme” now for a computer to do what the user wants and not what a random Google employee wants? How does this differ from malware?

ProfSarkov6y ago

It's also in the spec.

People might not like the spec or it might be incomplete, but adhering to it is a very important part of improving it until it's a good one.

Now I'm no webdev, but I could very well imagine that the spec is already a good one. So the situation might be even worse.

ko276y ago

No, it's not a requirement in the spec. Chrome is actually spec compliant regarding this issue.

nikanj6y ago

The spec only says "should", not "must". Apparently these wingnuts thought that means the spec can be ignored.

2 more replies

shpx6y ago

autocomplete=off is set by website developers, not users.

jussij6y ago

However the more important point made by the OP still remains which was some random Google employee chooses to ignore it.

lstamour6y ago

The way I see it, autofill off should mean off and if I click the icon in the address bar to bring up, well, let’s call it “quick access to per-site settings” then maybe I could override it for a specific page load or site, like you can Flash, etc.? This per-site configuration is starting to become “normal” given iOS 13 does the same in Safari for permissions, content blocking, automatic reader mode, etc. It would make sense that the default is “follow the HTML5 spec” but you could put a notice in the address bar if you really felt otherwise...?

Safari does a much better job by only filling visible form fields, I think (though it too has a tendency to put my address both in Line 1 and Line 3, which is annoying...).

the_pwner2246y ago

Explanation from the 'rogue Chromium dev' is linked to in comment 19 of this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

https://bugs.chromium.org/p/chromium/issues/detail?id=468153...

antoinevg6y ago

...which really makes it worse:

1. Our programming language has an attribute called "autocomplete" with two possible values: "on" and "off"

2. We will now (without consultation or announcement) simply start ignoring one of those values when you specify it. (and certainly not document the new behaviour!)

3. Here, I made you a convoluted (and undocumented!) workaround for getting the original behaviour of the attribute back.

I'm not sure which horse these FAANG kids who excel at programming challenges rode in on, but this attitude is RIFE in their product SDK's and API's.

Dijkstra must be spinning in his grave.

tgv6y ago

All that based on an increase in page submissions. Is that the goal of auto-complete?

The research behind the number (25%) is highly dubious, because the video cited as the source doesn't tell how it was done. At all. Ironically, it follows a section on how MDN is documenting the standards, and how that "contribute(s) a lot".

mnoorenberghe6y ago

There are more than 20 different valid field name tokens in the spec, not just “on” and “off”[1]. If web developers actually used the other values correctly then user agents wouldn’t need to use heuristics to figure out the correct data to autofill.

[1] https://html.spec.whatwg.org/multipage/form-control-infrastr...

mehrdadn6y ago

I'm reminded of an earlier comment: https://news.ycombinator.com/item?id=21083277

Carpetsmoker6y ago

> somewhere along the journey of the web autocomplete=off become a default for many form fields, without any real thought being given as to whether or not that was good for users

And here I was, all along, thinking that website authors were in control of how their websites behaved. How silly of me!

Reelin6y ago

It's complicated. Sometimes website authors do silly things that negatively impact users; browsers ought to help (without breaking things!) where possible.

Some daily annoyances that I wish browsers would actively mitigate, in no particular order: js-based redirects, blocking copy-paste, disabling text selection, hijacking the forward slash to open the website's own search function (I'm looking at you, Github), hijacking any of my other keyboard shortcuts that I rely on, creatively breaking my back and forward buttons (yes I realize there are legitimate reasons for some webapps), and overriding the built in right-click context menu.

2 more replies

rcxdude6y ago

They are in control of their servers. They are not in control of how the user agent (clue is in the name) interprets the javascript and HTML sent to it.

GrayShade6y ago

Firefox used to ignore autocomplete="off" until relatively recently. I'm sick of sites thinking they know better than me -- like those who don't let me paste in the password field. While I understand the good use cases for this attribute, given the binary choice I would rather have it ignored.

mcv6y ago

That is absolutely stuff that the user needs to be able to override. In fact, anything related to cutting and pasting is not something I think the browser should mess with.

Also: websites that generate a custom login name or password for me so I won't remember it, and then refuse to allow autofill or pasting. Fortunately dev tools are standard on the desktop these days.

(I would really, really like access to dev tools on mobile, though. It's simply necessary to get around some broken websites.)

elcritch6y ago

In best cases there’d be an option to honor the attribute or not.

andrewstuart6y ago

The weird thing is that there's other teams within Google who offer autocomplete libraries that simply don't work because Chrome overlays it's own autocomplete on top.

The maps team seems to have given up on trying to resolve that.

Chrome team have made a judgement that autocomplete is required and no-one - not even other teams within Google are allowed to override that functionality.

It's weird.

nikanj6y ago

Google really is the new Microsoft

sixothree6y ago

In spirit maybe. But in practice it seems worse.

jefftk6y ago

> not even other teams within Google are allowed to override that functionality

Isn't that how things should work? If other teams within Google had a special way to override autocomplete wouldn't that be worse?

(Disclosure: I work at Google)

andrewstuart6y ago

My point is that this decision from the Chrome team even breaks Google's own software.

This emphasises the craziness of the unilateral decision by the Chrome team which is essentially saying: "we, the Chrome team are correct and everyone else can go jump in the lake".

I'm not suggesting that Google should have secret special ways to do things.

1 more reply

xg156y ago

Relevant reply from a Googler seems to be this: https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

by battre@google.com

... which doesn't read at all to me like a "rogue dev" and more like a shared sentiment inside the Chrome team that autocomplete=off should be ignored.

At least, if there is a direct spec violation that breaks all kinds of applications and the answer your hear is "oh well, we're working on giving the user more options and improving our algorithm", that's not exactly encouraging.

bullmanOP6y ago

It is a direct spec violation, and it is breaking all kinds of applications.

Look, I get that this capability is super useful on shopping sites, and I rely on it practically every day.

But, I also build enterprise applications, where Chrome simply would not ever understand or know what would be valid choice.

I do, though; I built it. Invoice Numbers / Pre-Validated Travel Dates & Locations / Pre-Validated Locations / Pre-Validated IssueID that are so esoteric, we have built custom autocomplete that provide additional relevant information / Pre-Validated Users where the number of valid "John Smith"s number in the 10s, and additional meta data must be provided to differentiate.

Application developers need a reliable, durable way to tell the UA that a particular field should never be autofilled or autocompleted. The spec says this is autocomplete=off. Just do that.

tannhaeuser6y ago

It's odd that the linked bug report references and complains about W3C specs when browser/HTML specs have been coming from WHATWG for well over ten years now. W3C has ceased publishing HTML with W3C HTML 5.2 in 2017, and has announced an intent to merely publish WHATWG snapshots going forward; so far, I'm not aware of any actual work under this model by W3C.

But OTOH that Chromium interprets form field names heuristically to enable auto-autocomplete is worrying, and reflects poorly on the whole "standardization" process by WHATWG.

Santosh836y ago

Indeed. Chrome and Firefox both autocomplete my user name and password into GitHub's new user registration form, even though I already have an account. It's flaky and just asking to be abused.

duxup6y ago

It's really frustrating to have to work around this with hit or miss hidden inputs and such.

So many cases too where auto complete misfires an obliterated forms that had helpful placeholder text.

Just having a user change passwords and auto complete will often put an old saved password in the first field but not the second confirmation password field.

johneth6y ago

> Just having a user change passwords and auto complete will often put an old saved password in the first field but not the second confirmation password field.

You can hint to the browser which password you want to autofill with autocomplete="current-password" and autocomplete="new-password"

duxup6y ago

I've found that auto complete still sometimes guesses at what to do in that case depending on what the other fields are. At least it did last time I fought with it.

Hokusai6y ago

I do not get from where it comes that it is a rogue developer. I have worked in many companies where developers make mistakes. And, it is always the ways of working, giving more priority to features than quality, and similar cultural attributes of the company at fault.

The only time I saw this being a rogue developer was a commit and run done by a guy on his last day.

It is easy to blame one person when actually is a systemic failure that needs to be addressed at the company level.

londons_explore6y ago

I agree - and in fact, I think accusing this guy of being rogue is an unnecessary direct attack on him/her.

They are just doing their job, and in this case, acting in what they believe is best way for users. Here on HN, it seems most disagree, but that is still no reason to accuse someone of being rogue.

Headline should be "Google Chrome actively ignores HTML5 standard"

jefftk6y ago

The standard says "SHOULD", not "MUST".

(Disclosure: I work for Google)

3 more replies

speedplane6y ago

I run a site with a normal login/password, but which maintains passwords for other systems. It's pretty frustrating when the internal external usernames are autofilled with the username from our site. It confuses the user, suggesting that the username from the external site should be the same as our own.

PerfectElement6y ago

I was using Google Places' address auto-complete on a CRM, and most users loved it. Chrome's behavior completely broke this functionality by overlaying their auto-fill on top of Google Places suggestions, with no sane way to disable it. We decided to stop using address auto-complete and force our customers to type the address fields instead.

Ironically, we were paying Google a few thousand dollars per month for this, so they are not getting our revenue as a direct consequence of Chrome's behavior.

dazbradbury6y ago

I'm not sure who Chrome think they're helping. We get many, many users contacting our support team because of this feature / bug on https://www.openrent.co.uk.

It's frustrating, we've used workarounds, which then stop working and reports come flooding in again. It's crazy to me that the Chrome team think this is better for users, and that there isn't a more intelligent workaround for sites abusing autocomplete=off.

vidarh6y ago

At some point the alternative will be to implement a custom input control, which will just be awful in all kinds of ways, but it's just as awful to have Chrome think it knows best in some contexts.

andrewstuart6y ago

The Chrome dev team have implemented autocomplete the way they think it should work, not the way web developers want.

You cannot switch off Chrome's handling of autocomplete, thus any other autocomplete implementation will be overwritten by Chrome's handling.

Chrome team feel they know best.

chris_wot6y ago

They are becoming the Gnome of browsers. The Chrome dev team seem to be getting more and more user hostile.

nordsieck6y ago

> They are becoming the Gnome of browsers.

What they're becoming is ie6.

avodonosov6y ago

Bad that chrome developers don't practice web development enough to know the use cases where ignoring autocomplete=off breaks the application.

mgoetzke6y ago

Or line of business applications which (when rendered with Chrome) wants me to pick from my credit cards when I enter a certain field which has nothing to do with credit cards. I think it depends on the field name, but there seems to be a very loose correlation.

needle06y ago

Another reason to abandon ship and switch to Firefox.

avellable6y ago

With the new direction chrome is going I wouldn't mind putting "works best on anything but Chrome" on my next web project.

dustinmoris6y ago

I was thinking the same, websites should just have a big popup somewhere saying that the website might not work on Google Chrome, because it is W3C compliant and Google Chrome doesn't implement W3C standards, whith links to download alternatives browsers.

vntok6y ago

Please go read the spec, you will find that Chrome is perfectly compliant with it regarding the autocomplete attribute handling.

dang6y ago

The submitted title was heavily editorialized:

"Rogue Chromium dev lead ignores W3C 'autocomplete' spec; frustrates Internet"

lowercased6y ago

> This causes some problems, e.g. in <input type="text" name="name">, the "name" can refer to different concepts (a person's name or the name of a spare part).

Maybe I need context, but I don't understand why they're trying to 'guess' context around 'name' and trying to autofill something - either a spare part or a person's name.

Doesn't "name='name'" indicate that it should refill with the previously filled value of field named 'named' on that same page/document/url? Why are they trying to add algorithmic complexity on to already existing stuff?

This might make more sense, no? Let chrome try to determine a 'name' based on whatever logic they want.

velox_io6y ago

There's a major security flaw with auto-fill when it comes to passwords. Sure, it's hidden on screen, but you only have to change the password box's type, so it isn't "type='password'" and it is revealed. This only takes a matter of seconds.

Chrome should remove the password if there is any attempt to change that form object.

This flaw has been there for years, it's actually handy if I'm not sure what the password is.

Someone12346y ago

If you can modify the type of the field, you can also read the field's value without changing the type (e.g. document.getElementById('password').value from the console). Even just using the address bar via javascript:{alert(document.getElementById('password').value);}

As Raymond Chen and others call it: "the airtight hatchway problem."[0] Meaning you're sitting in a context where you can steal the password in infinite ways and complaining about the easiest one. But ultimately fixing that one way still leaves infinite remaining ways.

You're in the superuser context for the webpage. If you can modify the password field's type you can literally do anything to that page.

[0] https://stackoverflow.com/questions/2787853/arent-passwords-...

Smithalicious6y ago

Is this really an issue? Presumably anyone with access to the browser can acces saved passwords anyways; the censoring only prevents onlookers from reading it.

Avamander6y ago

Actually on Windows at least Chrome asks for a password when trying to view all passwords. So it isn't _that_ easy.

user59944616y ago

>>> - How to trigger the hiding? - right mouse button menu or (more likely) something in the drop down? where would we put that? ...

Mobiles notoriously don't have mouse buttons, so any UI relying on right-click will not be usable there.

It's odd that Google is considering mouse-based workarounds in all considered solutions, as if unaware of that. or maybe Chromium is only the desktop browser?

packetized6y ago

This position seems at odds with a recently opened WHATWG issue.

https://github.com/whatwg/html/issues/4986

codegladiator6y ago

> if you add an <input type="hidden" autocomplete="username" name="does_not_matter" value="{the actual username}"> before your current-password and new-password fields, Chrome should get it right

I can't believe that this suggested hack is coming from google.

https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

platz6y ago

> Comment 66 by battre@google.com on Tue, Oct 8, 2019, 3:48 AM CDT (5 days ago) - Overall, I still believe that neither of the extreme strategies ("always honor autocomplete=off" and "never honor autocomplete=off") are good

https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

We're in for the Long haul on this one.

tyingq6y ago

Discussion about a demo of the issue...

https://news.ycombinator.com/item?id=13329525

marcoseliziario6y ago

If you look at the chrome sources you can find this flag:

const char kAutofillOffNoServerDataDescription[] = "Disables Autofill for fields with autocomplete off that have no " "crowd-sourced evidence that Autofill would be helpful.";

So, at least in a company, this should work to avoid autocomplete making corporate apps unusable.

another thing that seems to work for me, is adding role="combobox" along with autocomplete="off"

tehabe6y ago

I guess this bug is the real reason why I turned off auto-fill in the browser a while ago, because it acted weird a lot of times.

asdf-asdf-asdf6y ago

title is wrong, the spec is not ignored. spec says: " When an element’s autofill field name is "off", the user agent should not remember the control’s data, and should not offer past values to the user. "

please note that it uses "should", not "must". these words have precise definition in specs, see RFC2119:

" SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. "

one may argue whether chrome has valid reasons or not, but saying they ignore it is incorrect.

mstade6y ago

> [...] there may exist valid reasons in particular circumstances [...]

(Emphasis mine.)

Is it really spec compliant when the "particular" circumstance is all of them?

chris_wot6y ago

Previously closed as WONTFIX: https://bugs.chromium.org/p/chromium/issues/detail?id=468153

chris_wot6y ago

Later they filed:

https://bugs.chromium.org/p/chromium/issues/detail?id=587466

marcoseliziario6y ago

So far this combinations seems to be working for me

role="combobox" autocomplete="off"

onion2k6y ago

Does Chromium not have anyone doing QA or acceptance criteria? A rogue dev lead could make whatever feature they want, but there should be a robust process of testing by many people before the feature makes it in to a production build.

aiCeivi96y ago

I hat to fight with browser autocomplete in Kibana main search bar. On the other hand I guess it is the same as right mouse button - I don't allow any site to capture that event since some abuse it.

dannykwells6y ago

A rare example where an editorialized HN post title is appreciated. Bravo!

sm4rk06y ago

Just stop using Chrome. There are good (even better) alternatives.

edoceo6y ago

I use autocomplete="x" and it seems to work for my apps.

Both Twilio and NameCheap seem to have login that defeat autocomplete in a nice way. Haven't investigate their tricks

mfer6y ago

> This has turned into a sad tit-for-tat between developers and Chrome, where no-one is winning.

Not the kind of relationship you want to build with an army of advocates

enriquto6y ago

I love the edited title of this post. It reflects accurately the reality of the situation. Hey, battre, hi there! You are famous now!

robotstate6y ago

I wrote a Medium article on how to actually turn it off 3 years ago that consistently gets about 500 views a week to this day.

phendrenad26y ago

I wonder what kind of engine overhaul Chrome is doing to cause all of these strange breakages.

smashah6y ago

This also screws with notion to the point where I've largely stopped using it at all

wolco6y ago

As a developer this can be fixed by using unique field names.

iandanforth6y ago

We're Google, we don't have to respect the spec.

tus886y ago

I would love it if someone explained how 'autocomplete=off' can lead to abuse of some kind. It seems to reduce the potential for security leaks.

pilif6y ago

It causes spec-compliant password managers to not work.

Unfortunately, disabling autocomplete for password fields is an often used form of security-theatre

techsupporter6y ago

Combine that with sites attempting to block pasting in a "complex, secure" password and I start to see Google's point here, bad as I don't want to. How "auth" is handled, at almost every layer, seems about as badly broken as "security" in the U.S. banking system.

Fortunately, Firefox gives me dom.event.clipboardevents.enabled so I at least need not worry about my workaround being broken.

tmd836y ago

Here's the tricky thing and I don't have a solution that doesn't get abused. I hate that lots of bank do this but I also have a use case for password autocomplete=off. We operate in an industry where shared computer access is very common and the risk of users saving password in browser is real and too high.

As I said don't know what the answer is. I definitely want someone using password manager be able to use them. Using a password manager is a conscious choice with setups involved. Browser's default autocomplete is often not. I don't know how to separate these two out.

3 more replies

tus886y ago

Ok, but how is that abuse? And if autocomplete=off is part of the html standard, how are the password managers spec compliant if they can't deal with it? Are people doing this just to annoy users who prefer password managers?

1 more reply

rndgermandude6y ago

Then only ignore autocomplete=off for forms that have password fields.

Sure, stupid devs can still work around that too, but so can they work around the current ingore-always behavior.

flaviu16y ago

> It seems to reduce the potential for security leaks

Misguided views like this are exactly how. Turning off autocomplete doesn't improve any sort of security, since the site already needs to trust the browser.

It serves no purpose other than to frustrate the user, and might even reduce security if it prevents the user from easily making use of a password manager.

mike_pol6y ago

Agreed on password fields, however if you have a webapp crm it causes so many problems. And also giving a solution of "hey just put something that we don't understand in the autocomplete so we won't try to autocomplete it" is really not a solution at all.

Imagine if instead of autocomplete it was something like ignoring font sizes/color because they detected that engagement was low when font size was whatever so they render it differently. A browser should render HTML not make decisions like these

1 more reply

vidarh6y ago

It does sometimes improve security for the user.

This happens when the auto-complete triggers on things it shouldn't and the user doesn't notice and submits personal details they never wanted to send to the site at all.

I've had to struggle a lot with working around Google's wrong-headed approach to this because this actually happens to real users. It's downright irresponsible, and I think frankly it's just a question of time before EU data protection watchdogs starts to take notice. All it will take is a sufficiently bad case of unintended disclosure of personal information (e.g. imagine a domestic abuse victim accidentally having their new address auto-completed in just the wrong situation).

(EDIT: this also easily happens with web apps where someone has to enter details for different users in the same forms multiple times; it get's very easy to end up not noticing Chrome auto-completing details for unrelated users; if that information is later visible to the user, it creates a real risk of leaking personal information)

pyrale6y ago

When user experience is bad, the website suffers, not chrome.

When chrome devs believe it is their role to alter ux, they are backseat driving.

throwaway20486y ago

plenty of stuff (like credit card info for instance) should absolutely never be auto-completed. The browser storing that sorta stuff to disk is stupid and completely avoidable.

Already caught chrome doing this to my Social Security Number before i disabled the functionality entirely. The idea of Chrome automatically auto filling any form it sees labeled "SSN" on any site dosen't inspire confidence.

2 more replies

avodonosov6y ago

From previous discussions I remember payment and bank forms use autocomplete=off and chrome developers don't like it, they want card numbers to be pre-filled.

bonestamp26y ago

I think some people want to be able to override it because some sites try to block password managers from filling the password field. Since Chrome has a built in password manager, that is likely their motivation to ignore it.

imode6y ago

Is "ignoring the specification" an extreme, now?

Are we seriously expected to entertain this mess?

So glad I switched to Firefox all those years ago.

dustinmoris6y ago

Google slaves came to downvote you after someone said this on their internal chat lol.

vntok6y ago

The spec says SHOULD though, not MUST. Chrome is compliant.

bullmanOP6y ago

There was a time when IE was the dominant browser, and happily did whatever they wanted to.

That was arguably better, because at least they acted predictably. Chrome has been continually altering how autocomplete is handled in the last 5 or 6 major releases

sebazzz6y ago

The most horrible is that it is almost completely unstylable, last time I checked. If you have floating placeholders it gets fun.

IshKebab6y ago

They acted predictably by never updating IE and letting it stagnate. Hard to see how that is better in any meaningful way.

pjmlp6y ago

You still had a choice, nowadays being a Web Developer is almost a synonym for Chrome Developer and it was the IE hatting crowd that made it happen.

4 more replies

platypii6y ago

Thank you chrome, for recognizing that the USER is what matters, not the website developer. Websites started blocking legitimate uses of autocomplete, and that makes the web less secure. As a user I sincerely hope that "autocomplete=off" dies just like the blink tag, as it is user hostile.

j / k navigate · click thread line to collapse

367 comments

romaaeterna6y ago

dmethvin6y ago

mikorym6y ago

2 more replies

15709494369706y ago

Fun fact: something similar once happened in production in the early days of an iPad-based point of sale startup.

In certain cases, a previously-entered zip code was interpreted as the number of cents to tip.

userbinator6y ago

The tip field was off-screen

I wonder how much the [1] hiding of scrollbars and [2] UIs with excessive amounts of whitespace, increasing the need to scroll also contributed to you making this error.

jbeales6y ago

We have trouble in our org with autofill on our New Customer forms. Depending on the browser it can be very difficult to remove the saved autocomplete values.

mehrdadn6y ago

(How) did you resolve this?

1 more reply

sedatk6y ago

How do you pay with Chrome at a restaurant?

Scoundreller6y ago

Probably for pickup or delivery.

carstenhag6y ago

As I had already commented on the issue, it completely breaks Germany's main train ticket selling website:

https://i.imgur.com/BjYTgSn.png

They have tagged the field as autocomplete=off but Chrome just doesn't care.

Also see this linked issue where they collected valid use cases for autocomplete=off. They just seem to ignore 452 use cases (I can't comment on the quality of them, I did not read any).

https://bugs.chromium.org/p/chromium/issues/detail?id=587466

obituary_latte6y ago

OT: direct link bypassing imgur’s horribly hostile UX https://i.imgur.com/BjYTgSn_d.jpg?maxwidth=1640&shape=&fidel...

watwut6y ago

Imo, valid use case for autocomplete=off is "the developer of webapp wants it".

Literally that and nothing more.

Nitramp6y ago

It's called "user agent", not "developer's agent". We'd be in a terrible situation if the browsers just followed developer's whims. Cf. popup blocking.

7 more replies

klmr6y ago

3 more replies

wdr16y ago

What if the user doesn't?

Rexxar6y ago

It's the same meaning but I would prefer "just follow the specification an let developer decide what they want"

atVelocet6y ago

Finally i know why this happens only in Chromium. This irritates me for quite some time now...

Seems that Chromium based browsers aren't favorable any more: Tracking, Bugs, uBlock extension is flagged, Manifestv3, etc.

phyzome6y ago

Pocket and sync are opt-in and seem pretty tame compared to the stuff in Chrome, just saying...

breakingcups6y ago

1 more reply

lqet6y ago

Can anyone explain why the same behavior does not occur on https://www.sbb.ch/, the Swiss equivalent (which is based on the same software by HaCon)?

E: as soon as you submit a search on sbb.ch, the same problem occurs.

subroutine6y ago

Did you try using a first-letter of a location you commonly use in forms? Here is what mine looks like when I use 'm' (like OP):

https://i.imgur.com/NlzVqhT.png

and here's what it looks like when I enter 's':

https://i.imgur.com/1u4Iy7S.png

(actually, S does not autocomplete in the Swiss site)

2 more replies

carstenhag6y ago

Also occurs there. See https://imgur.com/a/4K73twK

lone_haxx0r6y ago

Another example of this is chrome hiding "trivial" parts of the URL. i.e. any subdomain that coincides with "www" or "m".

takeda6y ago

jmkni6y ago

I had this issue the other day, I solved it by generating a GUID each time the page loads and appending it onto the end of the ID.

Not ideal, but worked!

sandstrom6y ago

This has turned into a sad chicken-race between Google and developers, with lots of innovative workarounds on Stackoverflow.

Their tactic of overruling web developers doesn't work, it only make things more complicated for everyone, since many of the workarounds have other negative side-effects.

https://stackoverflow.com/questions/12374442/chrome-ignores-...

    ## Example 1

    For a reliable workaround, you can add this code to your layout page:

    <div style="display: none;">
     <input type="text" id="PreventChromeAutocomplete" 
      name="PreventChromeAutocomplete" autocomplete="address-level4" />
    </div>

    Chrome respects autocomplete=off only when there is at least 
    one other input element in the form with any other autocomplete value.



    ## Example 2

    Simply make your input readonly, and on focus, remove it. This is a very 
    simple approach and browsers will not populate readonly inputs. 
    Therefore, this method is accepted and will never be overwritten by 
    future browser updates.

    <input type="text" onfocus="this.removeAttribute('readonly');" readonly />

    Style your input accordingly so that it does not look like a readonly input.


    ## Example 3

    Tell Chrome that this is a new password input and it won't provide 
    old ones as autocomplete suggestions:
    <input type="password" name="password" autocomplete="new-password">

obituary_latte6y ago

I think it mentioned chrome is even now ignoring ‘display:none’ and ‘visibility:hidden’ declarations so those workarounds no longer work either.

msclrhd6y ago

Sigh!

1 more reply

identity06y ago

Why would they ever do that. That’s just asking for autofill phishing.

scient6y ago

pas6y ago

At the same time many many many dumb corp-o-rat shit sites disable autocomplete because cOmpLiEncE. And users love autocomplete...

Naturally the problem is choice. Chrome/G should show a button to auto fill fields.

They could simply unleash some AI magic, train a network to recognize good and bad sites, etc. (Aka. the Apple way. As they also have a we know better policy, and users seem to love that.)

EugeneOZ6y ago

I haven't tried it, but maybe div with "contenteditable" could help?

notatoad6y ago

This is what I resorted to on one of our internal tools that wants a phone number to be entered and kept getting auto-completed with our staff'S phone numbers.

I wouldn't recommend it for public use. There's a lot of subtle behaviour around an input field that you'd need to replicate manually.

clairity6y ago

> “ This has turned into a sad chicken-race...”

great dash use! i almost read that as a race of sad chickens (seriously) but the dash autocorrected me. bravo!

jchw6y ago

(I do not work on Chrome or use Chrome at home, but as disclosure I do currently work at Google.)

gnud6y ago

Chrome explains in their security FAQ [0] why they don't adhere to autocomplete=off for password fields.

They could still follow it for other fields.

0: https://chromium.googlesource.com/chromium/src/+/master/docs...

kevincox6y ago

Of course then websites will just stop using password fields and that is awful for security and convinced.

kerng6y ago

Google should spend their cycles to work on a standard for password managers. The current design of those is flawed anyway.

anoncake6y ago

I think we need a way to disable features only for those developers that abuse them. Like uMatrix but built-in and with rules being supplied automatically as ad blocking lists are.

You autocomplete=off a password field? That attribute won't have an effect on your site anymore.

You auto-play videos when the user doesn't expect it? What videos? The web doesn't support videos – as far as you are concerned.

Scroll hijacking? I hope you used progressive enhancement because you just lost your Javascript privileges.

Roritharr6y ago

This is actually a reasonable proposal. A moderate list could be an in-built feature, with some config options.

1 more reply

basch6y ago

I asked if something similar was coming to Brave, and the answer was yes. Opera maintained what i believe was a somewhat community powered site patching repository back in the Presto days.

https://news.ycombinator.com/item?id=20831774

msclrhd6y ago

4 more replies

anticensor6y ago

I even found a name for such an extension: PunishIt.

doctorpangloss6y ago

Nitramp6y ago

I have my own extension for Chrome that yanks the autocomplete attribute. I much rather deal with over eager completion than websites disabling it for silly reasons and pseudo security.

httpsterio6y ago

Touch based are not better. Your fingerprint is not a password, it's just an identifier and shouldn't be treated as a secret.

2 more replies

cdubzzz6y ago

driverdan6y ago

Why would you need to disable autocomplete passwords for PCI compliance?

1 more reply

ss30006y ago

Decisions like this demonstrate an utter disregard for the crucial role Chromium plays in the web standardization process, and jeopardizes the entire ecosystem.

ss30006y ago

jjcm6y ago

This isn't even the first time we've seen this either. Both Chrome Mobile and Safari Mobile go against the standard and implement `vh` incorrectly.

chrismorgan6y ago

1 more reply

Natanael_L6y ago

All browsers on iOS are Safari wrappers

1 more reply

ko276y ago

Strictly speaking, Chrome is not ignoring a web standard, since the standard does not require this behavior (no "MUST" keyword).

obituary_latte6y ago

Well they are ignoring hundreds if not thousands of developers which is the main issue at this point.

3 more replies

dwb6y ago

That depends entirely on your interpretation of RFC 2119 in this context – whether you consider Google to have "valid reasons" or not. It's not an objective or inarguable issue.

ss30006y ago

Point taken. Maybe in this case the spec authors were also at fault for leaving too much leeway in the implementation.

azernik6y ago

I ran into this last week (with LastPass, not Chrome - this seems to be a common practice):

iforgotpassword6y ago

So yes, f*ck those Google devs on their high horse.

notatoad6y ago

kerng6y ago

The entire design of password managers that hijacking the DOM is flawed.

1 more reply

Geeflow6y ago

(And for the record: As a developer, I have been bitten by Chrome ignoring autocomplete="off" as well.)

megous6y ago

Yup, I like how FF does it. I basically just do a repeated sequence of:

TAB -> Arrow Down (select one of the previously filled values I've used) -> Enter

When filling a form. Given that sometimes we order things on made up names, it's quite useful no to have that autofilled when we're not wanting to.

stefan_6y ago

This is a bit of a missing perspective. I wouldn't even care about them not following autocomplete=off if the damn autocomplete was useful. Instead 90% of the time I'm fighting it.

TekMol6y ago

I guess this will lead to a horrible coding style where instead of having this in the form:

    <input name="email">

We will see stuff like this:

    <input name="16fkr9547kancot944128sddfksdf934998aafccugt75">

Where developers use some type of abstraction that generates a random id for each field and then assigns it to the original value server side or in javascript.

Just like they already randomise asset filenames to avoid caching.

wiredfool6y ago

I’m doing this with a field where I provide server side autocomplete of an item. It sucks, but I can’t find a better workaround.

masklinn6y ago

MDN literally mentions jquery.disableAutoFill which basically does that for you under the cover (scrambling the name on display, and unscrambling on submission).

StavrosK6y ago

jstanley6y ago

That is a thing already!

https://developer.mozilla.org/en-US/docs/Web/Security/Subres...

1 more reply

ProfSarkov6y ago

It's like Internet Explorer 6 all over again. SAD.

donatj6y ago

It’s still a reasonably effective solution for CSRF, though there are much simpler options, but today’s bots largely have cookie jars so you will likely need a CAPTCHA.

Thorrez6y ago

How would it stop XSS? Is it meant to stop attackers from getting JS execution on your site, or to mitigate the attackers' abilities after they have JS execution? I don't see how it would do either.

2 more replies

xg156y ago

> Just like they already randomise asset filenames to avoid caching.

But why? Isn't the whole point of caching to improve delivery if static assets?

Did they run into staleness problems? Then why not use if-modified-since/if-none-match?

noselasd6y ago

You are assuming browsers(there are many more than chrome&ff) ,proxies, etc. do caching correctly.

1 more reply

mxxx6y ago

Yep. We recently noticed this problem after renaming form fields for the purpose of accessibility (screen readers)

VMG6y ago

Autofill for offscreen elements gives me the creeps even without the data getting misinterpreted

dmix6y ago

Frameworks like React and Vue don’t even render the HTML into the DOM until conditions are met so the situation is improving.

Another positive step away from jQuery hackery!

pantalaimon6y ago

If you want to be malicious and capture wrong auto fill data, wouldn't a simple AJAX request on change be enough to capture sensitive data before the user gets a chance to correct it?

2 more replies

meredydd6y ago

Search boxes? Sure! App titles? Yeah, one week a bunch of our users' apps got renamed to the author's email address.

TL;DR Chrome's autofill is out there. It can't be bargained with. It can't be reasoned with. It does not feel pity or remorse. And it will not stop.

yk6y ago

Asking for a friend.

1 more reply

throwaway_bad6y ago

And worse part is that autofill still works in incognito.

TazeTSchnitzel6y ago

Oh yes. I seem to recall it was demonstrated as a way to covertly steal user information from the browser a while ago.

Hamuko6y ago

Haven't browsers already done changes to combat that?

sky_rw6y ago

I try to be as free-market as possible but I sure wish that the w3c had some teeth when it came to things like this.

sundbry6y ago

You're not the only one. I remember spending a good two days on it this year for a page where the user puts in their credentials for external integrations.

albertzeyer6y ago

Btw, at http://google.com, this is what they have for the search field:

carstenhag6y ago

Does anybody have a clue why it does not show up there? The Google team must have done something in order to circumvent what the Chrome team did. Horrible.

goatinaboat6y ago

Overall, I still believe that neither of the extreme strategies ("always honor autocomplete=off"

Is it “extreme” now for a computer to do what the user wants and not what a random Google employee wants? How does this differ from malware?

ProfSarkov6y ago

It's also in the spec.

People might not like the spec or it might be incomplete, but adhering to it is a very important part of improving it until it's a good one.

Now I'm no webdev, but I could very well imagine that the spec is already a good one. So the situation might be even worse.

ko276y ago

No, it's not a requirement in the spec. Chrome is actually spec compliant regarding this issue.

nikanj6y ago

The spec only says "should", not "must". Apparently these wingnuts thought that means the spec can be ignored.

2 more replies

shpx6y ago

autocomplete=off is set by website developers, not users.

jussij6y ago

However the more important point made by the OP still remains which was some random Google employee chooses to ignore it.

lstamour6y ago

Safari does a much better job by only filling visible form fields, I think (though it too has a tendency to put my address both in Line 1 and Line 3, which is annoying...).

the_pwner2246y ago

Explanation from the 'rogue Chromium dev' is linked to in comment 19 of this bug: https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

https://bugs.chromium.org/p/chromium/issues/detail?id=468153...

antoinevg6y ago

...which really makes it worse:

1. Our programming language has an attribute called "autocomplete" with two possible values: "on" and "off"

2. We will now (without consultation or announcement) simply start ignoring one of those values when you specify it. (and certainly not document the new behaviour!)

3. Here, I made you a convoluted (and undocumented!) workaround for getting the original behaviour of the attribute back.

I'm not sure which horse these FAANG kids who excel at programming challenges rode in on, but this attitude is RIFE in their product SDK's and API's.

Dijkstra must be spinning in his grave.

tgv6y ago

All that based on an increase in page submissions. Is that the goal of auto-complete?

mnoorenberghe6y ago

[1] https://html.spec.whatwg.org/multipage/form-control-infrastr...

mehrdadn6y ago

I'm reminded of an earlier comment: https://news.ycombinator.com/item?id=21083277

Carpetsmoker6y ago

> somewhere along the journey of the web autocomplete=off become a default for many form fields, without any real thought being given as to whether or not that was good for users

And here I was, all along, thinking that website authors were in control of how their websites behaved. How silly of me!

Reelin6y ago

It's complicated. Sometimes website authors do silly things that negatively impact users; browsers ought to help (without breaking things!) where possible.

2 more replies

rcxdude6y ago

They are in control of their servers. They are not in control of how the user agent (clue is in the name) interprets the javascript and HTML sent to it.

GrayShade6y ago

mcv6y ago

That is absolutely stuff that the user needs to be able to override. In fact, anything related to cutting and pasting is not something I think the browser should mess with.

Also: websites that generate a custom login name or password for me so I won't remember it, and then refuse to allow autofill or pasting. Fortunately dev tools are standard on the desktop these days.

(I would really, really like access to dev tools on mobile, though. It's simply necessary to get around some broken websites.)

elcritch6y ago

In best cases there’d be an option to honor the attribute or not.

andrewstuart6y ago

The weird thing is that there's other teams within Google who offer autocomplete libraries that simply don't work because Chrome overlays it's own autocomplete on top.

The maps team seems to have given up on trying to resolve that.

Chrome team have made a judgement that autocomplete is required and no-one - not even other teams within Google are allowed to override that functionality.

It's weird.

nikanj6y ago

Google really is the new Microsoft

sixothree6y ago

In spirit maybe. But in practice it seems worse.

jefftk6y ago

> not even other teams within Google are allowed to override that functionality

Isn't that how things should work? If other teams within Google had a special way to override autocomplete wouldn't that be worse?

(Disclosure: I work at Google)

andrewstuart6y ago

My point is that this decision from the Chrome team even breaks Google's own software.

This emphasises the craziness of the unilateral decision by the Chrome team which is essentially saying: "we, the Chrome team are correct and everyone else can go jump in the lake".

I'm not suggesting that Google should have secret special ways to do things.

1 more reply

xg156y ago

Relevant reply from a Googler seems to be this: https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

by battre@google.com

... which doesn't read at all to me like a "rogue dev" and more like a shared sentiment inside the Chrome team that autocomplete=off should be ignored.

bullmanOP6y ago

It is a direct spec violation, and it is breaking all kinds of applications.

Look, I get that this capability is super useful on shopping sites, and I rely on it practically every day.

But, I also build enterprise applications, where Chrome simply would not ever understand or know what would be valid choice.

Application developers need a reliable, durable way to tell the UA that a particular field should never be autofilled or autocompleted. The spec says this is autocomplete=off. Just do that.

tannhaeuser6y ago

But OTOH that Chromium interprets form field names heuristically to enable auto-autocomplete is worrying, and reflects poorly on the whole "standardization" process by WHATWG.

Santosh836y ago

Indeed. Chrome and Firefox both autocomplete my user name and password into GitHub's new user registration form, even though I already have an account. It's flaky and just asking to be abused.

duxup6y ago

It's really frustrating to have to work around this with hit or miss hidden inputs and such.

So many cases too where auto complete misfires an obliterated forms that had helpful placeholder text.

Just having a user change passwords and auto complete will often put an old saved password in the first field but not the second confirmation password field.

johneth6y ago

> Just having a user change passwords and auto complete will often put an old saved password in the first field but not the second confirmation password field.

You can hint to the browser which password you want to autofill with autocomplete="current-password" and autocomplete="new-password"

duxup6y ago

I've found that auto complete still sometimes guesses at what to do in that case depending on what the other fields are. At least it did last time I fought with it.

Hokusai6y ago

The only time I saw this being a rogue developer was a commit and run done by a guy on his last day.

It is easy to blame one person when actually is a systemic failure that needs to be addressed at the company level.

londons_explore6y ago

I agree - and in fact, I think accusing this guy of being rogue is an unnecessary direct attack on him/her.

They are just doing their job, and in this case, acting in what they believe is best way for users. Here on HN, it seems most disagree, but that is still no reason to accuse someone of being rogue.

Headline should be "Google Chrome actively ignores HTML5 standard"

jefftk6y ago

The standard says "SHOULD", not "MUST".

(Disclosure: I work for Google)

3 more replies

speedplane6y ago

PerfectElement6y ago

Ironically, we were paying Google a few thousand dollars per month for this, so they are not getting our revenue as a direct consequence of Chrome's behavior.

dazbradbury6y ago

I'm not sure who Chrome think they're helping. We get many, many users contacting our support team because of this feature / bug on https://www.openrent.co.uk.

vidarh6y ago

At some point the alternative will be to implement a custom input control, which will just be awful in all kinds of ways, but it's just as awful to have Chrome think it knows best in some contexts.

andrewstuart6y ago

The Chrome dev team have implemented autocomplete the way they think it should work, not the way web developers want.

You cannot switch off Chrome's handling of autocomplete, thus any other autocomplete implementation will be overwritten by Chrome's handling.

Chrome team feel they know best.

chris_wot6y ago

They are becoming the Gnome of browsers. The Chrome dev team seem to be getting more and more user hostile.

nordsieck6y ago

> They are becoming the Gnome of browsers.

What they're becoming is ie6.

avodonosov6y ago

Bad that chrome developers don't practice web development enough to know the use cases where ignoring autocomplete=off breaks the application.

mgoetzke6y ago

needle06y ago

Another reason to abandon ship and switch to Firefox.

avellable6y ago

With the new direction chrome is going I wouldn't mind putting "works best on anything but Chrome" on my next web project.

dustinmoris6y ago

vntok6y ago

Please go read the spec, you will find that Chrome is perfectly compliant with it regarding the autocomplete attribute handling.

dang6y ago

The submitted title was heavily editorialized:

"Rogue Chromium dev lead ignores W3C 'autocomplete' spec; frustrates Internet"

lowercased6y ago

> This causes some problems, e.g. in <input type="text" name="name">, the "name" can refer to different concepts (a person's name or the name of a spare part).

Maybe I need context, but I don't understand why they're trying to 'guess' context around 'name' and trying to autofill something - either a spare part or a person's name.

This might make more sense, no? Let chrome try to determine a 'name' based on whatever logic they want.

velox_io6y ago

Chrome should remove the password if there is any attempt to change that form object.

This flaw has been there for years, it's actually handy if I'm not sure what the password is.

Someone12346y ago

You're in the superuser context for the webpage. If you can modify the password field's type you can literally do anything to that page.

[0] https://stackoverflow.com/questions/2787853/arent-passwords-...

Smithalicious6y ago

Is this really an issue? Presumably anyone with access to the browser can acces saved passwords anyways; the censoring only prevents onlookers from reading it.

Avamander6y ago

Actually on Windows at least Chrome asks for a password when trying to view all passwords. So it isn't _that_ easy.

user59944616y ago

>>> - How to trigger the hiding? - right mouse button menu or (more likely) something in the drop down? where would we put that? ...

Mobiles notoriously don't have mouse buttons, so any UI relying on right-click will not be usable there.

It's odd that Google is considering mouse-based workarounds in all considered solutions, as if unaware of that. or maybe Chromium is only the desktop browser?

packetized6y ago

This position seems at odds with a recently opened WHATWG issue.

https://github.com/whatwg/html/issues/4986

codegladiator6y ago

> if you add an <input type="hidden" autocomplete="username" name="does_not_matter" value="{the actual username}"> before your current-password and new-password fields, Chrome should get it right

I can't believe that this suggested hack is coming from google.

https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

platz6y ago

https://bugs.chromium.org/p/chromium/issues/detail?id=914451...

We're in for the Long haul on this one.

tyingq6y ago

Discussion about a demo of the issue...

https://news.ycombinator.com/item?id=13329525

marcoseliziario6y ago

If you look at the chrome sources you can find this flag:

const char kAutofillOffNoServerDataDescription[] = "Disables Autofill for fields with autocomplete off that have no " "crowd-sourced evidence that Autofill would be helpful.";

So, at least in a company, this should work to avoid autocomplete making corporate apps unusable.

another thing that seems to work for me, is adding role="combobox" along with autocomplete="off"

tehabe6y ago

I guess this bug is the real reason why I turned off auto-fill in the browser a while ago, because it acted weird a lot of times.

asdf-asdf-asdf6y ago

please note that it uses "should", not "must". these words have precise definition in specs, see RFC2119:

one may argue whether chrome has valid reasons or not, but saying they ignore it is incorrect.

mstade6y ago

> [...] there may exist valid reasons in particular circumstances [...]

(Emphasis mine.)

Is it really spec compliant when the "particular" circumstance is all of them?

chris_wot6y ago

Previously closed as WONTFIX: https://bugs.chromium.org/p/chromium/issues/detail?id=468153

chris_wot6y ago

Later they filed:

https://bugs.chromium.org/p/chromium/issues/detail?id=587466

marcoseliziario6y ago

So far this combinations seems to be working for me

role="combobox" autocomplete="off"

onion2k6y ago

aiCeivi96y ago

I hat to fight with browser autocomplete in Kibana main search bar. On the other hand I guess it is the same as right mouse button - I don't allow any site to capture that event since some abuse it.

dannykwells6y ago

A rare example where an editorialized HN post title is appreciated. Bravo!

sm4rk06y ago

Just stop using Chrome. There are good (even better) alternatives.

edoceo6y ago

I use autocomplete="x" and it seems to work for my apps.

Both Twilio and NameCheap seem to have login that defeat autocomplete in a nice way. Haven't investigate their tricks

mfer6y ago

> This has turned into a sad tit-for-tat between developers and Chrome, where no-one is winning.

Not the kind of relationship you want to build with an army of advocates

enriquto6y ago

I love the edited title of this post. It reflects accurately the reality of the situation. Hey, battre, hi there! You are famous now!

robotstate6y ago

I wrote a Medium article on how to actually turn it off 3 years ago that consistently gets about 500 views a week to this day.

phendrenad26y ago

I wonder what kind of engine overhaul Chrome is doing to cause all of these strange breakages.

smashah6y ago

This also screws with notion to the point where I've largely stopped using it at all

wolco6y ago

As a developer this can be fixed by using unique field names.

iandanforth6y ago

We're Google, we don't have to respect the spec.

tus886y ago

I would love it if someone explained how 'autocomplete=off' can lead to abuse of some kind. It seems to reduce the potential for security leaks.

pilif6y ago

It causes spec-compliant password managers to not work.

Unfortunately, disabling autocomplete for password fields is an often used form of security-theatre

techsupporter6y ago

Fortunately, Firefox gives me dom.event.clipboardevents.enabled so I at least need not worry about my workaround being broken.

tmd836y ago

3 more replies

tus886y ago

1 more reply

rndgermandude6y ago

Then only ignore autocomplete=off for forms that have password fields.

Sure, stupid devs can still work around that too, but so can they work around the current ingore-always behavior.

flaviu16y ago

> It seems to reduce the potential for security leaks

Misguided views like this are exactly how. Turning off autocomplete doesn't improve any sort of security, since the site already needs to trust the browser.

It serves no purpose other than to frustrate the user, and might even reduce security if it prevents the user from easily making use of a password manager.

mike_pol6y ago

1 more reply

vidarh6y ago

It does sometimes improve security for the user.

This happens when the auto-complete triggers on things it shouldn't and the user doesn't notice and submits personal details they never wanted to send to the site at all.

pyrale6y ago

When user experience is bad, the website suffers, not chrome.

When chrome devs believe it is their role to alter ux, they are backseat driving.

throwaway20486y ago

plenty of stuff (like credit card info for instance) should absolutely never be auto-completed. The browser storing that sorta stuff to disk is stupid and completely avoidable.

2 more replies

avodonosov6y ago

From previous discussions I remember payment and bank forms use autocomplete=off and chrome developers don't like it, they want card numbers to be pre-filled.

bonestamp26y ago

imode6y ago

Is "ignoring the specification" an extreme, now?

Are we seriously expected to entertain this mess?

So glad I switched to Firefox all those years ago.

dustinmoris6y ago

Google slaves came to downvote you after someone said this on their internal chat lol.

vntok6y ago

The spec says SHOULD though, not MUST. Chrome is compliant.

bullmanOP6y ago

There was a time when IE was the dominant browser, and happily did whatever they wanted to.

That was arguably better, because at least they acted predictably. Chrome has been continually altering how autocomplete is handled in the last 5 or 6 major releases

sebazzz6y ago

The most horrible is that it is almost completely unstylable, last time I checked. If you have floating placeholders it gets fun.

IshKebab6y ago

They acted predictably by never updating IE and letting it stagnate. Hard to see how that is better in any meaningful way.

pjmlp6y ago

You still had a choice, nowadays being a Web Developer is almost a synonym for Chrome Developer and it was the IE hatting crowd that made it happen.

4 more replies

platypii6y ago

j / k navigate · click thread line to collapse