[whatwg] Improving autocomplete

[Mounir Lamouri]

On 11/11/12 13:26, Charles McCathie Nevile wrote:
> On Sun, 11 Nov 2012 07:50:48 +0100, Maciej Stachowiak <mjs at apple.com>
> wrote:
>> (1) If this API fills in a form completely based on stored data, and
>> not by completing the user's typing, then it is "autofill" rather than
>> "autocomplete".
> 
> Yep.
> 
>> (2) If this API provides the ability to get user information without
>> even having a visible form, then it's not clear that it is even really
>> autofill. It's just "requestUserInformation()" or something.
> 
> Right. It's like openly shared super-cookies...
> 
>> (3) This API has important privacy and even security considerations.
> 
> Yes.
> 
>> You have to tell the user exactly what you are going to fill in to the
>> site before they approve.
> 
> And because as soon as you put it into the input field the site can use
> it, as a basic security measure it seems like you should never autofill
> without explicit user confirmation.
> 
>> Unfortunately, most won't read it.
> 
> Indeed.
> 
>> If sites are asking for so much info that they have to split pages for
>> usability, then it seems likely the UI that tells the user what the
>> site is asking for will be impractical for most users to meaningfully
>> review.
> 
> Yes. This is a problem I face from time to time, and I think its
> seriousness is underestimated. This process can be used to collect all
> sorts of information before the user realises they didn't want to hand
> it over.
> 
>> This becomes especially dangerous if the mechanism can fill in credit
>> card info.
> 
> That assumes your most valuable info is about your credit card, which is
> only the case for a certain proportion of people.
> 
>> I would be very nervous if the browser could at any moment pop up a
>> dialog that would submit all my credit card info to a dubious site if
>> I slip and click the wrong button. Can you expand more on what thought
>> you have given to the security considerations?

I share the same concerns as Charles and Maciej (see above).

Especially, even if there is an unspoofable UI that is clearly
recognised as part of the browser chrome, any malicious author would be
a click close from getting your credit card number information. If I
understand it correctly, it would be as easy as writing a <form> with
some <input autocomplete="cc-{number,name,...}"> and then call
requestAutocomplete(). If the user press "OK", the page will got those
information, right?
This might be the same security mechanism as geolocation but the outcome
would be so tempting that people might try way harder to get your credit
card information than your location.

In addition, I wonder how valid the use cases of this feature are.
Nowadays, I feel like most websites will, by default or trough opt-in,
save all information so when you come back, you do not have to enter
your address, credit card information and anything else. Seems like
those websites have solved the issue themselves.
I feel like the real use case is when a user wants to make custom with a
web site for the first time. It might be indeed harder to get a good
transformation ration if the user has to write all those information.
However, I doubt we should add such a scary feature for that use case.

Cheers,
--
Mounir