Whoever is responsible for deciding that web browsers should no longer honour the autocomplete=off command without offering a standardised substitute is a complete moron, or morons as this was likely a collective decision.
Here’s a scenario for you;
- You work on a web-based SAAS product that uses Multi-factor authentication, of which a username and password is one of the factors, which users can elect to have their browser remember.
- Your product now also features a secure document creation, where users can enter a password for encrypting their secure documents.
Now, guess what happens when a user creates a secure document and then navigates away from that page…
If you guessed that the user’s browser prompts to update their saved login password – you guessed correctly.
— But wait – you can solve this by adding autocomplete=off to forms and fields surly? Shouldn’t that stop the user’s browser from being helpful? … I hear you say
No. Not any more.
Now the solution is to explore godawful hacks in code to trick the browser into not seeing the password field for the non-login related password.
This particular issue affects an SPA (Single Page Application – like Gmail) and a traditional style multiple page website. We are about to go live with this new secure document feature and have had to brief our customer support team about the strong possibility clients are going to phone up increasingly with issues about their passwords being locked out and confusion over the helpful browser popups about remembering their passwords.
Now, according to this Mozilla dev topic;
This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).
Based on a little more digging, this issue should only occur if the browser thinks you are in a login form. This probably means that the HTML generated by our frameworks for our web application is in a terribly confusing state and a user’s web browser thinks that our secure document page is a login form.
This is such a stupid move by browser vendors. This relies too strongly on a website producing good, clean HTML. A web browser shouldn’t disregard autocomplete and best guess the intention of a web page. It should allow the author of the web page to dictate the purpose of the webpage. As a developer I now face a headache from the complaints from our Customer Support team, as they themselves will be getting complaints from customers.
Thank you Microsoft, Google and Mozilla. Your web browser design teams are all bloody stupid.