Author Topic: Undo autocomplete disabling  (Read 14766 times)

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
Undo autocomplete disabling
« on: May 28, 2005, 04:34:31 PM »
Many websites use the "autocomplete" HTML attribute to prevent firefox from storing form and password information. Back in the days of weak passwords, this arguably made sense.

Now that PasswordMaker is on the scene, turning off autocomplete serves to only prevent Firefox from remembering the username.  The password is still filled in (if this PasswordMaker feature is enabled), which is a good thing, since the autocompleting is now done in a secure manner.

There is a bookmarlet that removes the autocomplete attributes from a page. This allows Firefox to remember the username as part of its saved form information. The feature that I am requesting is to integrate the functionality to strip autocomplete attributes directly into PasswordMaker.

For reference purposes, here is the bookmarklet:

java script:(function(){var ca,cea,cs,df,dfe,i,j,x,y;function n(i,what){return i+%22 %22+what+((i==1)?%22%22:%22s%22)}ca=cea=cs=0;df=document.forms;for(i=0;i<df.length;++i){x=df;dfe=x.elements;if(x.onsubmit){x.onsubmit=%22%22;++cs;}if(x.attributes[%22autocomplete%22]){x.attributes[%22autocomplete%22].value=%22on%22;++ca;}for(j=0;j<dfe.length;++j){y=dfe[j];if(y.attributes[%22autocomplete%22]){y.attributes[%22autocomplete%22].value=%22on%22;++cea;}}}alert(%22Removed autocomplete=off from %22+n(ca,%22form%22)+%22 and from %22+n(cea,%22form element%22)+%22, and removed onsubmit from %22+n(cs,%22form%22)+%22. After you type your password and submit the form, the browser will offer to remember your password.%22)})();

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Undo autocomplete disabling
« Reply #1 on: May 28, 2005, 05:24:20 PM »
Excellent idea! I will add it to the list shortly and schedule it for a release.

Thank you,
Eric H. Jung

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
Undo autocomplete disabling
« Reply #2 on: September 19, 2005, 05:46:36 PM »
I noticed that this is implemented in a sense in 0.8.4.  I was thinking it would be most useful to ensure autocomplete for all the fields except password fields (why save what can be generated?).  In particular, autocomplete for the username is the most valuable, since it allows the FireFox password manager to save the username and then automatically populate it on subsequent visits.

Ideally of course, you would want PassworkMaker (not the pw manager) to automatically populate the username.  This way, the FireFox passwork manager could be turned off altogether, while still having all credentials automatically filled in.

On way to do this is for PassworkMaker to ensure autocomplete and then on subsequent visits fill in the first saved autocomplete item for any fields that look like usernames.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Undo autocomplete disabling
« Reply #3 on: September 19, 2005, 08:08:25 PM »
Quote
I noticed that this is implemented in a sense in 0.8.4. I was thinking it would be most useful to ensure autocomplete for all the fields except password fields (why save what can be generated?). In particular, autocomplete for the username is the most valuable, since it allows the FireFox password manager to save the username and then automatically populate it on subsequent visits.
Makes sense. How about I make it so all autocompletes are turned on--passwords, usernames, whatever they may be.

Quote
Ideally of course, you would want PassworkMaker (not the pw manager) to automatically populate the username. This way, the FireFox passwork manager could be turned off altogether, while still having all credentials automatically filled in.
PasswordMaker already automatically populates usernames, so I'm not sure why you're relying on Firefox for that?

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
Undo autocomplete disabling
« Reply #4 on: September 20, 2005, 09:02:46 PM »
Quote
How about I make it so all autocompletes are turned on--passwords, usernames, whatever they may be.

I depends on the details of what "all turned on" means.  Typically, you don't want to FireFox's autocomplete cache containing passwords, since they're secret.  Normally, AFAIK this isn't a problem since browsers never put passwords in the autocomplete cache, regardless of whether a page has autocomplete=off.  So as long as PasswordMaker doesn't override the browser behavior, everything's fine.

Quote
PasswordMaker already automatically populates usernames, so I'm not sure why you're relying on Firefox for that?

The problem is that different sites require different usernames (email on some sites versus C identifier style on others).  There is no automatic way to have PasswordMaker remember the username (need to open dialog and manually create group and/or account), whereas Firefox's autocomplete "just works" without any manual intervention.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Undo autocomplete disabling
« Reply #5 on: September 21, 2005, 04:41:13 AM »
Quote
Typically, you don't want to FireFox's autocomplete cache containing passwords, since they're secret.
Implemented in 0.8.5. All non-passwords get autocomplete turned on if you check Global Settings->Enable browser auto-complete

Quote
on subsequent visits fill in the first saved autocomplete item for any fields that look like usernames.
i'll look into this. Tyrantmizar, can you add to the FRL?

Regards,
Eric
« Last Edit: September 21, 2005, 04:41:57 AM by Eric H. Jung »

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
Undo autocomplete disabling
« Reply #6 on: September 21, 2005, 02:13:37 PM »
I tried this out, but at least on the site I tried, it didn't work.  :(

I have a theory why, however.  The site I tried this on applied the autocomplete attribute to the form element, like this:

Code: [Select]
<form autocomplete="off" name="Login" method="post" ...
Is perhaps PasswordMaker only looking at input elements?

A small other note, the global setting check box caption is missing its left parenthesis.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Undo autocomplete disabling
« Reply #7 on: September 21, 2005, 04:30:33 PM »
Quote
Is perhaps PasswordMaker only looking at input elements?
That is correct. I didn't know you could put that attribute on <form/> elements. I'll fix in the next release, but are there any other gotchas I should know about?

Quote
A small other note, the global setting check box caption is missing its left parenthesis.
Thanks for noticing it--I didn't. Fixed and will be in the next release.

-Eric

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
Undo autocomplete disabling
« Reply #8 on: September 21, 2005, 07:06:18 PM »
Quote
are there any other gotchas I should know about?
I don't know.  I didn't know about putting the tag on a form element either, until the autocomplete didn't work and I started to investigate.

Probably, the pages I looked at in the past happened to put the tag on input elements.  For those same pages, I had already forced the autocomplete using the js bookmark.  So to test 0.8.5, I went to a site for which I hadn't used the js bookmar, and it happened to be the one to do things differently.  :hehe:

Offline breyed

  • Jr. Member
  • **
  • Posts: 28
Undo autocomplete disabling
« Reply #9 on: September 21, 2005, 07:14:10 PM »
I looked at the specs.  The official
w3 standard for autocomplete doesn't allow it on a form element.

However, perhaps there is a wider de facto standard, since Microsoft's documentation does mention applying an autocomplete attribute to a form element.

Offline Eric H. Jung

  • grimholtz
  • Administrator
  • *****
  • Posts: 3353
Undo autocomplete disabling
« Reply #10 on: September 21, 2005, 10:43:21 PM »
Note that if you want autocomplete removed from form elements in addition to input elements, I won't be able to prevent the browser from storing password fields.

PasswordMaker Forums

Undo autocomplete disabling
« Reply #10 on: September 21, 2005, 10:43:21 PM »