Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

7.0.2: Autocomplete="off" still busted

Using JS, even with the latest updates this morning, autocomplete="off" is ingored


Try

http://jsfiddle.net/BBEm8/4/


in Chome and Safari. Submit the form (you will get a csrf error), click save password, then refresh the page.... the user pass is autofilled, even though the html form marks autocomplete='off'


When will a fix be available?

OS X Mavericks (10.9.2)

Posted on Feb 25, 2014 9:46 PM

Reply
Question marked as Best reply

Posted on Mar 5, 2014 7:05 PM

To be clear on the above :

The issue is that safari is ignoring security instructions given by page markup. This contradicts all other browsers and W3C standards. Please look at the example I have given you and try it, it will demonstrate the problem.... which is:


Even when markup mandates that autocomplete should be turned off, safari will autocomplete username / password fields regardless. This is not good.


Steps to reproduce:

1) Open http://jsfiddle.net/BBEm8/4/ in Safari 7.0.2 (9537.74.9)

2) In the 'Result' panel, enter in the first box: 'itsNot'

3) In the 'Result' panel, enter in the first box: 'working'

4) Click the 'Go' button

5) When prompted 'do you want to save the password', select yes

6) Refresh the page

7) Note the first and second boxes are auto populated the values 'itsNot' and 'working', even though the html markup clearly asks it not to


8) Open in any other browser of your choice (Chrome, Firefox, even IE)

9) Retry the above steps and note that the fields are not being auto populated.

6 replies
Question marked as Best reply

Mar 5, 2014 7:05 PM in response to BenkiZelman

To be clear on the above :

The issue is that safari is ignoring security instructions given by page markup. This contradicts all other browsers and W3C standards. Please look at the example I have given you and try it, it will demonstrate the problem.... which is:


Even when markup mandates that autocomplete should be turned off, safari will autocomplete username / password fields regardless. This is not good.


Steps to reproduce:

1) Open http://jsfiddle.net/BBEm8/4/ in Safari 7.0.2 (9537.74.9)

2) In the 'Result' panel, enter in the first box: 'itsNot'

3) In the 'Result' panel, enter in the first box: 'working'

4) Click the 'Go' button

5) When prompted 'do you want to save the password', select yes

6) Refresh the page

7) Note the first and second boxes are auto populated the values 'itsNot' and 'working', even though the html markup clearly asks it not to


8) Open in any other browser of your choice (Chrome, Firefox, even IE)

9) Retry the above steps and note that the fields are not being auto populated.

Apr 15, 2014 8:10 AM in response to BenkiZelman

This is a significant issue. I've found Safari incorrectly overwriting fields with my login details in forms within systems because there happens to be a password field somewhere on the form.


This leads to data loss and exposure of my login information if I don't happen to spot that Safari is doing it (which may be off the bottom of the visible page on long forms).


While I understand the user choice perspective, autocomplete="off" is required in many legitimate instances. At least in previous version the browser gave the option to the user to ignore - now even that has gone.

Apr 21, 2014 3:30 PM in response to BenkiZelman

Yes apple should have left the option to turn it on and off in the settings. Me personally I need it turned off since when they make you type in the bloody form it invites you to use a simple (WEAK) password so you can remember it and type it in. So all these sites thinking it is good security are fools.


In your case it makes sense to have it off. So I hope apple brings back the option instead of forcing one way or the other.


I imagine they thought it would be better turning it off since most noobs would consider it as a malfunction when their password isn't autofilled and blame apple. However they should have just changed the default to having it off, and the more savvy people like yourself could just go in and turn it on 🙂

Feb 11, 2015 2:33 AM in response to BenkiZelman

This is a critical issue for Safari.


For example. in my testing, Safari is somehow deducing input fields from surrounding dom as well.


When examining why on earth Safari auto-completes a field with my contacts email address I see in the dom:


<tr>

<td valign="top" width="30%"><b>Mail server</b></td>

<td valign="top"><div style="font-size: small"><input size="40" value="127.0.0.1" name="v27115_656" type="text"></div></td>

</tr>


There is no way Safari should be auto completing v27115_656 with an email address unless they have some fuzzy idea that "<td valign="top" width="30%"><b>Mail server</b></td>" is mean't to be 'Email'


They must have put in some *mail* match logic in here to catch all 'mail' like values, not doing it as a normal developer would expect, ie. explicit name='email' or other standard vcard type naming rule.


I have to say, with the non-compliance with autocomplete=off, Safari is about as good as worthless if you want to use some web-based administration system, and still like to use Safari for browsing other websites.


I have posted a bug report, but as usual it's like tearing up paper and throwing the remains into the wind.


I am shaking my head and hope that the browser is given some desperately needed attention in the near future or at least open sourced so we can fix this bug.


Please post a bug on bugreport.apple.com


Safari 8 has all these issues.

Mar 3, 2015 5:17 PM in response to BenkiZelman

Still busted as of Safari 8.0.3. (OS X)


Additional info:

Safari seems to respect the autocomplete="off" setting if the form isn't using SSL/https.

In fact, the autocomplete behavior is generally different:

  • Without SSL, it asks if you want to autofill once it has enough info to think it is relevant (which is nice).
  • With SSL, email and password fields are immediately filled when you enter the form (which ***** in the case of admin forms etc.).


If you inspect a form which is misbehaving and change some include link, like a fonts library from https://... to http://..., Safari will immediately remove the lock icon (no longer secure) and let the inputs display the proper values! BTW this is a tighter standard than other browsers. The form is still encrypted, of course, so I am considering a scheme that leverages this to temporarily 'downgrade' the security to suppress autocomplete. (But, I shouldn't have to do it.)


This is really frustrating to those of use that really like using Safari.

7.0.2: Autocomplete="off" still busted

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.