Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Turning Off AutoComplete
Re: Turning Off AutoComplete
Lachlan Hunt wrote:
> Zifud wrote:
>> Lachlan Hunt wrote:
>> Yes, but it is not the only way to prevent a user agent from
>> remembering user input. Let's say I add a randomly generated 8
>> character string to my input field names. Your browser won't
>> recognize the field, how will it auto fill it?
> You basing that assumption on the way existing autocomplete features
Should I base them on how future implementations may work, or should
I stick with reality?
There is nothing *preventing* the user agent remembering the
> values except the limitations of the implementations. There is
> certainly nothing in the markup doing so.
? Remembering individual values is only half the problem, it's
automatically associating certain values with particular fields on
individual web sites, like user id, password, etc. that is the
problem. It becomes an absolute no-brainer to hack into someones
bank account if the fields are filled in for you!
And if the site chooses to protect itself by preventing such automatic
field filling, who are you to say they can't?
>>> However, *what right do you have to take over my system and
>>> decide when I want to let my browser remember my passwords and other
>>> form values*???
>> Rights? What is this, life and death?
> No, it's not life and death, it's about the right to make choices
> yourself, without anyone else interfering.
But you choose to dictate to site authors the features they can and
can't use on their site.
>> Get a grip! The page author can defeat any browser attempt at
>> form values - what if they don't use HTML forms at all? Or generate
>> random input names?
>> populate hidden fields before submission?
>> Sorry, autocomplete is a nice add-on, but it is utterly unreliable
>> and certainly not some inalienable 'right'.
> It is the right of the user to make use of the features in their user
And the 'right' of every author to use the features provided by the
specification. Autocomplete (feature or attribute) is not part of
the HTML spec, and it can be easily defeated with perfectly valid
So where does that leave the respective party's 'rights'?
>>> Luckily there are ways for a user to override this attribute in
>>> *some* browsers, though it's not easy and it's something the user
>>> shouldn't even have to do.
>> So now you assume to know the requirements of all users?
> No. If you think that, then you've totally misunderstood the issue. The
> point is that it should be the *user's* choice in the end, not the
> author's, and user's that want to make the choice should be able to do
> so easily.
No, the point is that users have the ability to use auto complete,
authors have the ability to make it useless. I don't see that will
>>> See this recent thread  in the WHAT-WG mailing list that explains
>>> why this attribute cannot be used, why browsers support it, why
>>> authors should not use it, why there is an attempt to standardise it
>>> and, most importantly, *why you must not use this attribute*!
>> That thread contains a rather lop-sided series of comments regarding
>> the support that the WHAT Working Group specification should give to
>> the autocomplete attribute. There is no discussion of any of the
>> points you raise, least of all why it "cannot" or "must not" be used.
> All the points are addressed either directly in the thread or there are
> references to places that contain the explanation. Here's a very brief
> Why browser's support it:
> To meet the needs of some ignorant banking organisations that believe
> it increases the security of their web pages.
That assertion is made without single reference or quote, which was
my point. And the sole reason offered is that particular users like
to use autocomplete and are offended if it doesn't work.
So what? Not one single pertinent argument was given as to why it
should be banned, other than "I want it".
The primary argument for preventing it is to ensure the users'
security, that the computer they are using can't remember what the
site believes is sensitive information.
> Why it's being standardised:
> Because specifications should document what browsers should support.
What? Standards are some kind of 'as-built' document? Whilst that
argument was offered, it simply doesn't stand up.
Why aren't the many other MS proprietary methods in standards? Just
about all browsers support innerHTML, but its chances of making
it into some future version of the DOM are remote at best.
Let's put this one to rest:
"...the most fundamental Web technologies must be compatible with
one another and allow any hardware and software used to access the
Web to work together. ... By publishing open (non-proprietary)
standards for Web languages and protocols, W3C seeks to avoid
market fragmentation and thus Web fragmentation.
"Tim Berners-Lee and others created W3C as an industry consortium
dedicated to building consensus around Web technologies."
In other words, standards exist to ensure interoperability and
Browsers and standards are not in existence purely for user's
convenience - they exist as a platform for the web. If they don't
implement features required by web sites, then the sites will not
support them. If they don't support features wanted by users, then
users won't use them.
A browser author's dilemma is to walk the fine line between the two,
and a specification writer's job is to work out what features should
be in the standard and what shouldn't. The rationale for choosing one
particular feature may be totally different from that used to select
(or reject) another. No single player has absolute right of veto
over what any other player wants.
The attitude here seems to be that any attempt by a web site to
ensure user ID or password security is an attack on civil liberties.
> Why authors can not, should not and must not use it:
> Because it is a user-hostile act to disable a user's user agent
> feature designed to increase the usability of web sites for the user.
Just wait for the day some suitably empowered user sues a site for
not ensuring the security of their user ID and password when the
tools were available to do it.
Any site that doesn't support my choice of browser and OS doesn't get
my business. I let them know my greivance in an e-mail, and once or
twice it has actaully resulted in changes to sites.
>> Indeed, if it were the view of that group that autocomplete can't or
>> mustn't be used, why is the outcome of the discussion that it
>> continue to be part of the specification?
That group is ignorant? So why reference a bunch of ignoramuses?
I never said it was the view of the group, only that it
> should not be used for the many reasons discussed in it.
The only reason I saw was that some posters thought it was an attack
on their personal space if a page author dared interfere with a
feature of their browser. It can be just as easily answered that it
is the right of any site to disallow features they believe are
detrimental to their users security.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — The site's Newest Thread. Posted in » Secure Shell Forum