[whatwg] [WF2] Objection to autocomplete Attribute
lachlan.hunt at lachy.id.au
Wed Mar 23 16:46:09 PST 2005
Ian Hickson wrote:
> On Thu, 24 Mar 2005, Lachlan Hunt wrote:
>># Support for the attribute *should* be enabled by default...
> Ok, I changed the must to a should. But I left the bit about not making it
> trivially disablable.
Thank you, but I don't understand why making it trivially disableable
could not be moved to the note, nor why the spec even needs to suggest
such user agent behaviour. However, at least it is now "should", so I
will accept it if I must.
>From a browser vendor point of view, if the alternatives are:
> a. Allow users to use autocomplete on all sites, but don't let users
> use bank sites at all, or
> b. Allow sites to specify when autocomplete should be unavailable, and
> let users use their bank sites,
c. Allow sites to specify when autocomplete should be unavailable *by
default* and let users use their bank sites, but give the users final
say about the issue. Any organisation that complains about the user
having such control is being unrealistic and simply needs to be
reminded that it is a *user agent*, not an author agent.
- Both users and user agent vendors complain to the organisation
about not allowing them access.
- Organisations excercising user-hostile behaviour to exclude a large
portion of their users either give in to the pressure.
- User's switch to another organisation that caters for their needs,
user-hostile organisations lose market-share to a competitor that
respects a user's rights, and eventually gives into pressure
- Unfortunately, the last option is that users give into pressure
from the organisation and switch back to IE, which I realise
vendors must take into consideration; however, they must balance
the needs of the users with the organisations.
(I will be complaining to the one organsiation I use, that I recently
discovered uses autocomplete. At least, they finally agreed to support
the increasing number of non-IE users a while ago after many complaints,
so I think they'll give in to enough pressure over this too)
> Web authors have, IMHO, a legitimate reason to try to protect their users
> from mis-configured public terminals.
This issue could be addressed by making user agents much easier to
configure for public terminals. eg. The user agent vendor could provide
a setting, extension, config file or whatever that may be easily
installed by public terminal operators, which automatically configures
the most appropriate options such as disabling autocompletion
facilities, not remembering browsing history between sessions,
disallowing software installation by general users (eg. Mozilla
extensions) and any other configuration often required in such
circumstances. The point is that there should be *no reason* for an
author to take on the responsibility of the user/system administrator
and the user agent vendor.
> The "autocomplete" attribute is now defined in terms of semantics: it
> means the field is sensitive. I think that's quite a legitimate thing to
> be able to specify.
That is an improvement, though it doesn't address my earlier concern
that any form with a password could be considered sensitive information.
Hopefully, authors have enough common sense to realise its
ramifactions outweight any semantic usefulness (I don't believe it has
any beyond what type="password" means). I do, however, like the new
example: "the activation code for a nuclear weapon", which suggests that
only terrorists should make use of this attribute. :-)
> I honestly don't see that authors would want to use autocomplete="off".
Yet, you seem to have plenty of evidence that they do!
> But if you think about it, if they do, that might actually be good on the
> long term: browsers will eventually be forced to stop supporting it,
> having more pressure from their users than from the banks.
At least the spec now allows for this scenario by making it say
>>>which is pointless: the sites are going to use these features
>>>regardless, why make people have to violate the spec to do so.
>>Then why is the size attribute deprecated now? ...
> Because there they don't _have_ to use it. They can get the same effect
> without using the deprecated features.
They don't have to use autocomplete either, they could get the same
effect by writing a stern warning near the form, recommending that users
do not make use of autocomplete facilities, which would allow the user
to make an informed decision.
> If you don't want it, then disable support in your UA.
Will do, when bug 124065 gets fixed again, though there is at least an
extension available that I can use in the mean time.
(See comments 11 and 23)
http://GetFirefox.com/ Rediscover the Web
http://GetThunderbird.com/ Reclaim your Inbox
More information about the whatwg