[whatwg] Improving autocomplete

Peter Kasting pkasting at google.com
Wed Nov 21 17:26:07 PST 2012

On Wed, Nov 21, 2012 at 5:11 PM, Nils Dagsson Moskopp <
nils at dieweltistgarnichtso.net> wrote:

> The proper solution is to let people vote with their wallet for devices
> that are perceived as making input easier – not to hand over power to
> site users making it easier to sniff data.

This contains what I think are multiple false assumptions:
(1) It's reasonable to discriminate against devices that don't make input
as easy as my desktop computer with its full-size keyboard.  Given the rise
of mobile web usage, it seems clear that users will increasingly access the
web with devices that physically can never be as accommodating as my
desktop computer can.  I don't think that allows us to simply say "oh well"
and ignore the problem.
(2) The proposals make it "easier to sniff data".  The entire point of my
email was that IMO this is simply false.

> It's already the case that Chrome can autofill my credit card number
> > into a form that asks for it, so I'm not totally sure why the proposed
> > capabilities here are viewed as new and scary.  It seems like we're
> > just trying to expose a slightly nicer event system for letting
> > authors interact with the existing UA feature set.
> Looks like an is-ought-problem to me. The descriptive (“It's already
> the case …”) can not tell us much about what should be done by virtue
> of its existence alone. Did you use „new and scary” to imply opponents
> appeal to tradition?

No, I used it to make clear that, at least for some UAs, there is no new
user data being exposed in these proposals, nor is existing data being
exposed to whole new types of sites.  A consideration of whether new APIs
represent an additional security or privacy risk must take these factors
into account.  It is also possible that UAs with existing autofill
capabilities (like Chrome) are already insecure today, in which case it'd
be very useful to note existing problems so that these UAs can fix them and
other vendors can avoid the problems.

What Chrome can do is started by users; even then a warning is given:
> <http://support.google.com/chrome/bin/answer.py?hl=en&answer=142893>
> > It's important that you use Autofill only on websites you trust, as
> > certain websites might try to capture your information in hidden or
> > hard-to-see fields.

And those same properties -- that these APIs require a user gesture, that
the UA is in control of the presentation, and that ultimately it is up to
users to use them responsibly -- are all true here as well.

> The systematic difference – for me – is that the proposed functionality
> may make easier to trick a user into agreeing to „autocomplete
> everything“ than the current functionality does.

Please explain precisely how you see this occurring, because this is the
key part of your argument that I don't grasp, but you've provided no
explanation for it.

An informative reply might be a detailed scenario complete with an
explanation of why the malicious site in question could not accomplish a
similar effect with existing UA capabilities.  This would be very helpful
in informing the design here.


More information about the whatwg mailing list