Page MenuHomePhabricator

wpSummary: A random browser extension sets it to autocomplete="off"
Closed, InvalidPublic

Description

With Firefox I get a list of autocomplete values after click into c input field. Chrome did the same some versions ago.

With the recent Version of go I find autocomplete="off" after click Ctrl+Shift+I in wpSummary field with Chrome. In Firefox is no autocomplete attribute, and default is autocomplete="on"

Event Timeline

Sorry about the blame for Chrome. It was an extension to detect and prevent cross site scripting. Autocomplete = "off" is set if an explicit autocomplete = "on" is missing

Jdforrester-WMF renamed this task from wpSummary: Chrome sets it to autocomplete="off" to wpSummary: A random browser extension sets it to autocomplete="off".Aug 20 2019, 1:35 PM
Jdforrester-WMF subscribed.

Presumably we should Invalid this?

I find an explicit autocomplete = "on" for fields where XSS is risk-free (no personal information, ...) useful. With wpSummary autocomplete = "on" makes sense. Autocomplete = "off" could be a better default setting for all input fields where autofill does not help the users. Login data can be handled by default browser autofill settings, as it is.

Catrope subscribed.

There's no real connection, as far as I can see, between XSS and personal information, or between XSS and autocomplete. I don't understand why a browser extension trying to prevent XSS would disable autocomplete. The default value for autocomplete is on, and it makes little sense to explicitly set autocomplete="on" on almost all form fields. In addition, MediaWiki already sets autocomplete="on" on almost every <form> it generates, so there's no reason to also set it on each field (except for browser extensions messing with things, but I don't think it makes sense to design around those).