Seriously, browsers? That's how autocomplete is supposed to work
-
Dear readers,
I would like to direct your attention to an article on the Mozilla Dev Pages:
Specifically I want you to look at the paragraph halfway through:
In some case, the browser will keep suggesting autocompletion values even if the autocomplete attribute is set to off. This unexpected behavior can be quite puzzling for developers. The trick to really force the no-completion is to assign a random string to the attribute like so :autocomplete="nope"
Since this random value is not a valid one, the browser will give up.
Is that seriously how Browsers are supposed to work?
: I want you to not fill out this form, please.
I see you want me to not fill out this form, so I will fill out this form.
I want you to GARBHHGLGSL with the autocomplete on this form.
I don't understand what you want. So I will not fill out this form.Filed Under: INB4 people telling how it's morally wrong to disable autocomplete and how I am the bad one here
Also Filed Under: I assume somebody at some point already made a topic about this... if not, mehpaging @RaceProUK
-
@Kuro Doesn't the SGML/HTML spec specifically say that attributes that aren't understood are to be ignored?
So shouldn't
autocomplete="gaseousdisaster"
result in the default autocomplete behavior? Am I crazy, or is Mozilla?
-
BROWSERS!
This is almost the same idiocy as setting checkboxes or radios in XHTML. Since every attribute needs a value in XHTML most people would do
checked="checked"
, but AFAIR the browsers just checked if the value was "truthy", sochecked=":poop:"
would work just as well. Hell, evenchecked=""
would, but justchecked
is an error.Disclaimer: might not be all browsers, but that's what my memory suggests.
-
@Onyx checked="blue"
-
Autocomplete is a minefield. Further down the page:
"if a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page."
-
First, easy stuff:
@Kuro said in Seriously, browsers? That's how autocomplete is supposed to work:
INB4 people telling how it's morally wrong to disable autocomplete and how I am the bad one here
It is morally wrong to disable autocomplete and any dev that does that is a shitburger
@blakeyrat said in Seriously, browsers? That's how autocomplete is supposed to work:
Am I crazy, or is Mozilla?
Yes.
Okay, onto reply:
The only way to disable autocomplete completely is to use random-generated IDs and names on your form elements. But then you're bending over backwards to break a piece of functionality that your users want. And then you're a shitburger.
Or you could break the form in new and interesting ways, like poorly implementing a "placeholder" value inside the input element and using janky javascript to remove it onfocus. That always breaks shit, and makes you a shitburger for not knowing what a
<label>
is.
-
@Lorne-Kates said in Seriously, browsers? That's how autocomplete is supposed to work:
It is morally wrong to disable autocomplete
Only for login forms. There are cases where it actually makes sense (i.e. captcha input field).
-
@asdf or search fields that provide their own auto complete.
-
@Onyx but at least that makes sense from a certain technical point of view. Treating unknown values as the only way to disable a feature does not make sense from any point of view.
-
@anonymous234 I did say almost. I agree this is worse.
-
Or you could break the form in new and interesting ways, like poorly implementing a "placeholder" value inside the input element and using janky javascript to remove it onfocus. That always breaks shit, and makes you a shitburger for not knowing what a <label> is.
There's a website that I have to use to report grades that can one-up you on this. The placeholder value is not removed, so you have to do it manually. Even better, there are combo boxes with only one item. ... Plus the pre-selected placeholder. And in other places I have to manually remove the placeholdr and fill in my acronym in a textbox despite me being logged in with the same acronym and the only permissible value is -you guessed it- my acronym.
-
@Kuro said in Seriously, browsers? That's how autocomplete is supposed to work:
Filed Under: INB4 people telling how it's morally wrong to disable autocomplete and how I am the bad one here
I wouldn't say morally wrong... just normal wrong. At least in 90% of the cases.
There are some cases where autocomplete should actually be disabled, but unfortunately idiots keep misusing that feature for whatever bullshit reason they have. "Users should not be able to paste or autocomplete their password in the login form because it's a SECURITY ISSUE!!!!!!" and then the users get angry and demand that browser makers remove that capability from developers, and browser makers eventually give in. There is just no way to make everyone happy .
-
@anonymous234 said in Seriously, browsers? That's how autocomplete is supposed to work:
"Users should not be able to paste or autocomplete their password in the login form because it's a SECURITY ISSUE!!!!!!"
Let me use the shortest password possible then and keep it on a post-it stuck to the monitor.
Seriously, if a user chooses to be stupid there's only so much you can do. Can we stop messing with standardized behavior in some quixotian attempt to save the idiots from themselves?
-
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
keep it on a post-it stuck to the monitor
That's still pretty secure. It's hard to remotely attack a post-it note.
-
@ben_lubar said in Seriously, browsers? That's how autocomplete is supposed to work:
It's hard to remotely attack a post-it note.
Standard social hacking approach should work fine: phone up a colleague and ask them to read it out to you “for security checking reasons”.
-
@ben_lubar said in Seriously, browsers? That's how autocomplete is supposed to work:
That's still pretty secure.
That depends on the environment, doesn’t it? It should usually be OK on a computer at home but in an office with hundreds of people around I wouldn’t exactly call it good practice.
-
@dkf said in Seriously, browsers? That's how autocomplete is supposed to work:
Standard social hacking approach should work fine
It's easy. The amount of places I just sauntered into with a laptop under my arm, said I'm "the phone guy" and plugged my machine into first available network port completely uncontested is frankly terrifying.
Now, I wasn't lying mind you, but fucking hell!
-
@Onyx our network supposedly blocks a new mac address it doesn't know
-
@fbmac most places I've been it's DHCP and unprotected Samba shares all the way down.
-
@fbmac Our wired network actually does that. It was originally introduced to discourage people from putting up rogue (and horribly misconfigured) wifi hubs and DHCP servers. It works at that, but adds to the bureaucratic awkwardness of bringing any new system online.
Luckily, we can put any system on our wifi networks (provided users authenticate).
-
I remember when I got into some official online portal with my math teacher's username and password that I saw on a post-it. Good times.
-
@anonymous234 Back when I was in college (about 10 years ago), it was common knowledge among the students that most of the faculty left their passwords at the default (which was 'password'), and usernames were derived from last name and first initial, so it was easy to log in as a teacher to bypass web filters (and probably other nefarious activities, but I never tried that).
-
@asdf said in Seriously, browsers? That's how autocomplete is supposed to work:
Only for login forms. There are cases where it actually makes sense (i.e. captcha input field).
Most CAPTCHAs have rando ids anyways, for anti-bot.
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
@asdf or search fields that provide their own auto complete.
You mean an auto-complete that doesn't work half the time? OR you can accept the autocomplete and the accompanying POST because your search is inside a form right-- a bog standard form that the site can fall back on, or are you a shitburger?
Also, I might want to search for the same term more than once. Sometimes a while later, and the only way I'll remember the magical search term that got me my results is through autocomplete.
@Mikael_Svahnberg said in Seriously, browsers? That's how autocomplete is supposed to work:
a website that I have to use to report grades
Dear God, I'm sorry. Your pain is beyond measure.
@dkf said in Seriously, browsers? That's how autocomplete is supposed to work:
“for security checking reasons”
Does this really work? "Excuse me, I'll need you to give me a blowjob 'for security checking reasons".
-
@Lorne-Kates said in Seriously, browsers? That's how autocomplete is supposed to work:
Most CAPTCHAs have rando ids anyways, for anti-bot.
I don't see how that would help stop bots any more than a CAPTCHA already would by having to be loaded in the first place.
-
@Lorne-Kates said in Seriously, browsers? That's how autocomplete is supposed to work:
your search is inside a form right-- a bog standard form that the site can fall back on
Even aside from graceful degradation not doing so is actual work. I have no idea which idiot thought it was a good idea not to put any form elements on pages. I you want to do fancy shit with the data just capture the damned
submit
event! Oh, no, capturing the click and then having to mess around with extra selectors and shit, that's a better idea!@Lorne-Kates said in Seriously, browsers? That's how autocomplete is supposed to work:
Also, I might want to search for the same term more than once. Sometimes a while later, and the only way I'll remember the magical search term that got me my results is through autocomplete.
Ok, not a search box... think something like a, dunno, city input. After 10 other people already typed in "New Bumfuckingshire" while having Wales selected in the country dropdown I might as well suggest that to you as soon as you type in
Ne
, right?
-
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
Ok, not a search box... think something like a, dunno, city input. After 10 other people already typed in "New Bumfuckingshire" while having Wales selected in the country dropdown I might as well suggest that to you as soon as you type in Ne, right?
OTOH, it would save you a lot of typing if you needed to put down Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.
-
@Dreikin said in Seriously, browsers? That's how autocomplete is supposed to work:
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
Ok, not a search box... think something like a, dunno, city input. After 10 other people already typed in "New Bumfuckingshire" while having Wales selected in the country dropdown I might as well suggest that to you as soon as you type in Ne, right?
OTOH, it would save you a lot of typing if you needed to put down Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.
-
@Dreikin F'tagn?
-
@Onyx
No, here, let me help you:
How To Say Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch – 03:23
— donwoodswirral
-
@Dreikin Yes, I'm aware, I was just making a stupid joke. Also, that name is more of a publicity stunt than something that was ever seriously used, AFAIK.
-
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
@Dreikin Yes, I'm aware, I was just making a stupid joke. Also, that name is more of a publicity stunt than something that was ever seriously used, AFAIK.
I figured you did, but I flubbed the joke I was trying. Probably because I put nearly zero effort into it.
-
@Dreikin
Still wondering if there is a Daffyd in the village ... and if he's the only one.
-
@ben_lubar said in Seriously, browsers? That's how autocomplete is supposed to work:
It's hard to remotely attack a post-it note.
-
@Luhmann said in Seriously, browsers? That's how autocomplete is supposed to work:
@Dreikin
Still wondering if there is a Daffyd in the village ... and if he's the only one.There probably isn't a Daffyd. There might be a Dafydd, though.
(These two words have similar pronunciations if you follow English-language orthography. Welsh orthography makes them sound quite different. "Daffyd" would sound more or less the same in both orthographies, but Welsh orthography has the single "f" sounding like a "v" and the "dd" sounding like the "th" in "this". (There's no consistent way to spell the resulting sound in English conventions. "DavviTH" might do if we accept a convention that a trailing "TH" is pronounced "voiced" like "th" in "this", while a trailing "th" is pronounced unvoiced like "th" in "thin".))
-
@Steve_The_Cynic said in Seriously, browsers? That's how autocomplete is supposed to work:
(There's no consistent way to spell the resulting sound in English conventions. "DavviTH" might do if we accept a convention that a trailing "TH" is pronounced "voiced" like "th" in "this", while a trailing "th" is pronounced unvoiced like "th" in "thin".))
ð ('eth') should work, with þ ('thorn') for ðe oðer. Ðey're boþ English, and ð is now ðe IPA symbol for ðe voiced version. Granted, in English ðey were used more or less interchangeably, but ðe IPA usage leads to an easy way to push for ðeir differentiation. Also, it'd be mostly in line with Icelandic, where ðey're boþ still used.
-
@Dreikin Just one problem: boþ are awkward to type on my keyboard. :)
-
@dkf Obviously you have a defective keyboard layout. US-International FÐW!
-
@Dreikin said in Seriously, browsers? That's how autocomplete is supposed to work:
Obviously you have a defective keyboard layout.
Or no compose key.
Compose + t + h
works as well.
-
-
@Dreikin said in Seriously, browsers? That's how autocomplete is supposed to work:
Obviously you have a defective keyboard layout.
No, just one optimised for typing †.
-
@dkf said in Seriously, browsers? That's how autocomplete is supposed to work:
@Dreikin said in Seriously, browsers? That's how autocomplete is supposed to work:
Obviously you have a defective keyboard layout.
No, just one optimised for typing †.
Huh, I'm surprised I can't find ðat one on ðere. Tells you how much I use daggers.
-
@Dreikin said in Seriously, browsers? That's how autocomplete is supposed to work:
@Steve_The_Cynic said in Seriously, browsers? That's how autocomplete is supposed to work:
(There's no consistent way to spell the resulting sound in English conventions. "DavviTH" might do if we accept a convention that a trailing "TH" is pronounced "voiced" like "th" in "this", while a trailing "th" is pronounced unvoiced like "th" in "thin".))
ð ('eth') should work, with þ ('thorn') for ðe oðer. Ðey're boþ English, and ð is now ðe IPA symbol for ðe voiced version. Granted, in English ðey were used more or less interchangeably, but ðe IPA usage leads to an easy way to push for ðeir differentiation. Also, it'd be mostly in line with Icelandic, where ðey're boþ still used.
Yeah, I guess that would work, except that eth and thorn aren't part of Modern English. The only Middle English text I've read had been edited lightly, to use modern letters rather than using eth, thorn, and wynn. It was still a challenge to read, because half the words were Germanic in origin where the modern equivalents are Franco-Latino-Greek in origin. I won't even mention the erratic spelling and the fact that the Middle English spelled both 'he' and 'they' as 'he'.
-
@Steve_The_Cynic said in Seriously, browsers? That's how autocomplete is supposed to work:
It was still a challenge to read, because half the words were Germanic in origin where the modern equivalents are Franco-Latino-Greek in origin.
It depends on which dialects you know as well; the preferred word for things still varies quite a bit within the country to this day. It helps a lot to know a bunch of German and Danish though.
-
@Lorne-Kates said in Seriously, browsers? That's how autocomplete is supposed to work:
Does this really work? "Excuse me, I'll need you to give me a blowjob 'for security checking reasons".
I'm sure that line was featured in a video somewhere before ...
-
@aliceif I'm still waiting for updates of old classics.
"Hello, I have come to fix the
washing machineExchange server"
-
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
@aliceif I'm still waiting for updates of old classics.
"Hello, I have come to fix the
washing machineExchange server"Warum liegt hier überhaupt Stroh rum? -ORIGINAL- – 00:21
— BeerPirate1
-
@Anonymouse this attack only affect windows users
-
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
I'm still waiting for updates of old classics.
"Hello, I have come to fix thewashing machineExchange server"So you're thinking about a career in porn now? Is your job really that bad?
-
@asdf not if that's my line. No amount of sex is worth even coming near an Exchange server.
-
@Onyx said in Seriously, browsers? That's how autocomplete is supposed to work:
not if that's my line.
I can also work with "I'm here to fix the phone in the elevator". ;)