Turning Off AutoComplete - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Turning Off AutoComplete

Lachlan Hunt wrote:
> Zifud wrote:
>> Lachlan Hunt wrote:
>>  Yes, but it is not the only way to prevent a user agent from
>>  remembering user input.  Let's say I add a randomly generated 8
>>  character string to my input field names.  Your browser won't
>>  recognize the field, how will it auto fill it?
> You basing that assumption on the way existing autocomplete features
> work.

  Should I base them on how future implementations may work, or should
  I stick with reality?

   There is nothing *preventing* the user agent remembering the
> values except the limitations of the implementations.  There is
> certainly nothing in the markup doing so.

  ? Remembering individual values is only half the problem, it's
  automatically associating certain values with particular fields on
  individual web sites, like user id, password, etc. that is the
  problem.  It becomes an absolute no-brainer to hack into someones
  bank account if the fields are filled in for you!

  And if the site chooses to protect itself by preventing such automatic
  field filling, who are you to say they can't?

>>>     However, *what right do you have to take over my system and
>>> decide when I want to let my browser remember my passwords and other
>>> form values*???
>>  Rights?  What is this, life and death?
> No, it's not life and death, it's about the right to make choices
> yourself, without anyone else interfering.

  But you choose to dictate to site authors the features they can and
  can't use on their site.

>>  Get a grip!  The page author can defeat any browser attempt at
>> remembering
>>  form values - what if they don't use HTML forms at all?  Or generate
>> random input names?
>>  Or don't assign any name or label to the input and use JavaScript to
>>  populate hidden fields before submission?
>>  Sorry, autocomplete is a nice add-on, but it is utterly unreliable
>>  and certainly not some inalienable 'right'.
> It is the right of the user to make use of the features in their user
> agent.

  And the 'right' of every author to use the features provided by the
  specification.  Autocomplete (feature or attribute) is not part of
  the HTML spec, and it can be easily defeated with perfectly valid

  So where does that leave the respective party's 'rights'?

>>> Luckily there are ways for a user to override this attribute in
>>> *some* browsers, though it's not easy and it's something the user
>>> shouldn't even have to do.
>>  So now you assume to know the requirements of all users?
> No.  If you think that, then you've totally misunderstood the issue. The
> point is that it should be the *user's* choice in the end, not the
> author's, and user's that want to make the choice should be able to do
> so easily.

  No, the point is that users have the ability to use auto complete,
  authors have the ability to make it useless.  I don't see that will
  ever change.

>>> See this recent thread [1] in the WHAT-WG mailing list that explains
>>> why this attribute cannot be used, why browsers support it, why
>>> authors should not use it, why there is an attempt to standardise it
>>> and, most importantly, *why you must not use this attribute*!
>>> [1]
>>  That thread contains a rather lop-sided series of comments regarding
>>  the support that the WHAT Working Group specification should give to
>>  the autocomplete attribute. There is no discussion of any of the
>>  points you raise, least of all why it "cannot" or "must not" be used.
> All the points are addressed either directly in the thread or there are
> references to places that contain the explanation.  Here's a very brief
> summary.
> Why browser's support it:
>   To meet the needs of some ignorant banking organisations that believe
>   it increases the security of their web pages.

  That assertion is made without single reference or quote, which was
  my point.  And the sole reason offered is that particular users like
  to use autocomplete and are offended if it doesn't work.

  So what? Not one single pertinent argument was given as to why it
  should be banned, other than "I want it".

  The primary argument for preventing it is to ensure the users'
  security, that the computer they are using can't remember what the
  site believes is sensitive information.

> Why it's being standardised:
>   Because specifications should document what browsers should support.

  What? Standards are some kind of 'as-built' document?  Whilst that
  argument was offered, it simply doesn't stand up.

  Why aren't the many other MS proprietary methods in standards?  Just
  about all browsers support innerHTML, but its chances of making
  it into some future version of the DOM are remote at best.

  Let's put this one to rest:

   "...the most fundamental Web technologies must be compatible with
    one another and allow any hardware and software used to access the
    Web to work together. ... By publishing open (non-proprietary)
    standards for Web languages and protocols, W3C seeks to avoid
    market fragmentation and thus Web fragmentation.

   "Tim Berners-Lee and others created W3C as an industry consortium
    dedicated to building consensus around Web technologies."


  In other words, standards exist to ensure interoperability and
  promote collaboration.

  Browsers and standards are not in existence purely for user's
  convenience - they exist as a platform for the web.  If they don't
  implement features required by web sites, then the sites will not
  support them.  If they don't support features wanted by users, then
  users won't use them.

  A browser author's dilemma is to walk the fine line between the two,
  and a specification writer's job is to work out what features should
  be in the standard and what shouldn't. The rationale for choosing one
  particular feature may be totally different from that used to select
  (or reject) another.  No single player has absolute right of veto
  over what any other player wants.

  The attitude here seems to be that any attempt by a web site to
  ensure user ID or password security is an attack on civil liberties.

> Why authors can not, should not and must not use it:
>   Because it is a user-hostile act to disable a user's user agent
>   feature designed to increase the usability of web sites for the user.

  Just wait for the day some suitably empowered user sues a site for
  not ensuring the security of their user ID and password when the
  tools were available to do it.

  Any site that doesn't support my choice of browser and OS doesn't get
  my business.  I let them know my greivance in an e-mail, and once or
  twice it has actaully resulted in changes to sites.

>>  Indeed, if it were the view of that group that autocomplete can't or
>>  mustn't be used, why is the outcome of the discussion that it
>>  continue to be part of the specification?
> Ignorance.

  That group is ignorant?  So why reference a bunch of ignoramuses?

   I never said it was the view of the group, only that it
> should not be used for the many reasons discussed in it.

  The only reason I saw was that some posters thought it was an attack
  on their personal space if a page author dared interfere with a
  feature of their browser.  It can be just as easily answered that it
  is the right of any site to disallow features they believe are
  detrimental to their users security.


Site Timeline