[whatwg] [WF2] Objection to autocomplete Attribute

Lachlan Hunt lachlan.hunt at lachy.id.au
Wed Mar 23 16:46:09 PST 2005 

Ian Hickson wrote:
> On Thu, 24 Mar 2005, Lachlan Hunt wrote:
>># Support for the attribute *should* be enabled by default...
> 
> Ok, I changed the must to a should. But I left the bit about not making it 
> trivially disablable.

Thank you, but I don't understand why making it trivially disableable 
could not be moved to the note, nor why the spec even needs to suggest 
such user agent behaviour.  However, at least it is now "should", so I 
will accept it if I must.


>From a browser vendor point of view, if the alternatives are:
> 
>  a. Allow users to use autocomplete on all sites, but don't let users
>     use bank sites at all, or
>  b. Allow sites to specify when autocomplete should be unavailable, and
>     let users use their bank sites,

c. Allow sites to specify when autocomplete should be unavailable *by
    default* and let users use their bank sites, but give the users final
    say about the issue.  Any organisation that complains about the user
    having such control is being unrealistic and simply needs to be
    reminded that it is a *user agent*, not an author agent.

    - Both users and user agent vendors complain to the organisation
      about not allowing them access.
    - Organisations excercising user-hostile behaviour to exclude a large
      portion of their users either give in to the pressure.
      OR
    - User's switch to another organisation that caters for their needs,
      user-hostile organisations lose market-share to a competitor that
      respects a user's rights, and eventually gives into pressure
      anyway.
    - Unfortunately, the last option is that users give into pressure
      from the organisation and switch back to IE, which I realise
      vendors must take into consideration; however, they must balance
      the needs of the users with the organisations.

(I will be complaining to the one organsiation I use, that I recently 
discovered uses autocomplete.  At least, they finally agreed to support 
the increasing number of non-IE users a while ago after many complaints, 
so I think they'll give in to enough pressure over this too)

> Web authors have, IMHO, a legitimate reason to try to protect their users
> from mis-configured public terminals.

This issue could be addressed by making user agents much easier to 
configure for public terminals.  eg. The user agent vendor could provide 
a setting, extension, config file or whatever that may be easily 
installed by public terminal operators, which automatically configures 
the most appropriate options such as disabling autocompletion 
facilities, not remembering browsing history between sessions, 
disallowing software installation by general users (eg. Mozilla 
extensions) and any other configuration often required in such 
circumstances.  The point is that there should be *no reason* for an 
author to take on the responsibility of the user/system administrator 
and the user agent vendor.

> The "autocomplete" attribute is now defined in terms of semantics: it 
> means the field is sensitive. I think that's quite a legitimate thing to 
> be able to specify.

That is an improvement, though it doesn't address my earlier concern 
that any form with a password could be considered sensitive information. 
  Hopefully, authors have enough common sense to realise its 
ramifactions outweight any semantic usefulness (I don't believe it has 
any beyond what type="password" means).  I do, however, like the new 
example: "the activation code for a nuclear weapon", which suggests that 
only terrorists should make use of this attribute. :-)

> I honestly don't see that authors would want to use autocomplete="off". 

Yet, you seem to have plenty of evidence that they do!

> But if you think about it, if they do, that might actually be good on the 
> long term: browsers will eventually be forced to stop supporting it, 
> having more pressure from their users than from the banks.

At least the spec now allows for this scenario by making it say 
"should:. :-)

>>>which is pointless: the sites are going to use these features 
>>>regardless, why make people have to violate the spec to do so.
>>
>>Then why is the size attribute deprecated now? ...
> 
> Because there they don't _have_ to use it. They can get the same effect 
> without using the deprecated features.

They don't have to use autocomplete either, they could get the same 
effect by writing a stern warning near the form, recommending that users 
do not make use of autocomplete facilities, which would allow the user 
to make an informed decision.

> If you don't want it, then disable support in your UA.

Will do, when bug 124065 gets fixed again, though there is at least an 
extension available that I can use in the mean time.
(See comments 11 and 23)
https://bugzilla.mozilla.org/show_bug.cgi?id=124065#c11

-- 
Lachlan Hunt
http://lachy.id.au/
http://GetFirefox.com/     Rediscover the Web
http://GetThunderbird.com/ Reclaim your Inbox

More information about the whatwg mailing list