[whatwg] [WF2] Objection to autocomplete Attribute
James Graham
jg307 at cam.ac.uk
Tue Mar 29 03:23:33 PST 2005
Mikko Rantalainen wrote:
> James Graham wrote:
>
>> Mikko Rantalainen wrote:
>>
>>> My bank uses one-shot passwords for web access
>>
>>
>> Which seems to be an ideal use-case for the autocomplete attribute...
>
>
> But in this case, the autocomplete isn't a *security* feature (though
> my point is, it should never be considered a security feature).
> Instead, it's an enchancement (UA will not store or incorrectly
> suggest old value as valid input) and it should make no difference to
> bank if UA supports that feature or not.
True. But it is a much better use case than the one that is currently in
the spec. Ian, can we change the use case to mention some sort of
one-time password rather than the contrived nuclear weapon example? It
might even encourage people to implement something actually secure
rather than just a set of fixed passwords...
In general I don't see the problem with autocomplete='off'. It does
offer some security. Not very strong but at least as useful as hiding
passwords as *** - a feature which has the same detrimental effect on
usability that autocomplete=off has, is equally useless in the face of a
sutiably determined attacker and yet one which few people wish to disable.
> WF2 shouldn't require UAs to support this feature. Just a note that
> some institutions insanely want this feature is enough.
As Anne points out, WF2 uses "should", not "must", so it's not required
for conformance. In effect the spec reads "you can not support this
feature, as long as you don't mind banks not supporting your browser. It
won't make you WF2 non compliant but since you're unlikely to have any
market share, that's not your biggest problem".
--
"But if science you say still sounds too deep,
Just do what Beaker does, just shrug and 'Meep!'"
-- Dr. Bunsen Honeydew & Beaker of Muppet Labs
More information about the whatwg
mailing list