469,338 Members | 8,589 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,338 developers. It's quick & easy.

Turning Off AutoComplete

Hello,

does anybody know how to turn off the autocomplete feature for a certain
text field?

I am aware of the "autocomplete" attribute, but I have seen other
implementions achieving it without any such attribute and am wondering
whether there is another way to do it .... like via CSS or a naming
convention or .......

Thanks,
Alex
Jul 23 '05 #1
40 10558
On Mon, 28 Mar 2005 15:19:27 GMT, Alex <no*@for.spam> wrote:
does anybody know how to turn off the autocomplete feature for a certain text
field?

I am aware of the "autocomplete" attribute, but I have seen other
implementions achieving it without any such attribute and am wondering whether
there is another way to do it .... like via CSS or a naming convention or
.......


Isn't this the same discussion that is running since 24 hours in alt.html?

--
,-- --<--@ -- PretLetters: 'woest wyf', met vele interesses: ----------.
| weblog | http://home.wanadoo.nl/b.de.zoete/_private/weblog.html |
| webontwerp | http://home.wanadoo.nl/b.de.zoete/html/webontwerp.html |
|zweefvliegen | http://home.wanadoo.nl/b.de.zoete/html/vliegen.html |
`-------------------------------------------------- --<--@ ------------'
Jul 23 '05 #2
Barbara de Zoete wrote:

Isn't this the same discussion that is running since 24 hours in alt.html?


Its the same question I posted 48 hours ago there - with no answer.
Jul 23 '05 #3
Els
Alex wrote:
Barbara de Zoete wrote:

Isn't this the same discussion that is running since 24 hours in alt.html?


Its the same question I posted 48 hours ago there - with no answer.


You mean "with no answer that I liked".

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Spider Murphy Gang - Skandal Im Sperrbezirk
Jul 23 '05 #4
Els wrote:

You mean "with no answer that I liked".


No, I meant with "no answer to my question".
Jul 23 '05 #5
Els
Alex wrote:
Els wrote:

You mean "with no answer that I liked".


No, I meant with "no answer to my question".


<quote from message id "3a*************@individual.net">
Like others will say, autocomplete is a feature of the user's browser,
not a feature of your site.
</quote>

<quote from message id "A0***************@newsfe5-win.ntli.net">
Yes, but as was said, AutoComplete is a function of the user's
browser, not your site.
</quote>

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Racey - Lay Your Love On me
Jul 23 '05 #6
These are no answers to my questions.

Anyway, I asked for an answer and not for a senseless discussion. If you
have an answer to my question, then please let me know. Otherwise, whats
the purpose?
Jul 23 '05 #7
Els
Alex wrote:
These are no answers to my questions.

Anyway, I asked for an answer and not for a senseless discussion. If you
have an answer to my question, then please let me know. Otherwise, whats
the purpose?


People trying to think with you to solve your problem is a senseless
discussion? How about saying that to the person who just posted a new
message to your thread in alt.html? I'd bet he would stop thinking for
you.

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Spider Murphy Gang - Skandal Im Sperrbezirk
Jul 23 '05 #8
Alex wrote:
These are no answers to my questions.

Anyway, I asked for an answer and not for a senseless discussion. If you
have an answer to my question, then please let me know. Otherwise, whats
the purpose?


If all you want is an answer to the question, this should suffice:

Yes.

I suspect that isn't the response you want, so to second guess you:

Yes, the browser programmers.

Does having an answer to your question, rather than a discussion, help
you at all? No, I didn't think so.

To be slightly more helpful, you certainly can't do it with html or css.
As to whether some operating system component offers a suitable api, I
have no idea & that wouldn't be a matter for ciwa* in any case.

--
Michael
m r o z a t u k g a t e w a y d o t n e t
Jul 23 '05 #9
Els wrote:

People trying to think with you to solve your problem is a senseless
discussion? How about saying that to the person who just posted a new
message to your thread in alt.html? I'd bet he would stop thinking for
you.


It should be obvious that I referred to this discussion!

Again, if you arent of any help, whats the purpose of your postings?
Jul 23 '05 #10
Alex wrote:
These are no answers to my questions.
Yes there are.
Anyway, I asked for an answer and not for a senseless discussion. If you
have an answer to my question, then please let me know. Otherwise, whats
the purpose?


"Get real! This is a discussion group not a helpdesk. You post
something[,] we discuss it's implications. If the discussion happens
to answer a question you've asked[,] that's incidental."
nobull, 2000-10-25 in comp.lang.perl.misc

--
David Dorward <http://blog.dorward.me.uk/> <http://dorward.me.uk/>
Home is where the ~/.bashrc is
Jul 23 '05 #11
Els
Alex wrote:
Els wrote:

People trying to think with you to solve your problem is a senseless
discussion? How about saying that to the person who just posted a new
message to your thread in alt.html? I'd bet he would stop thinking for
you.
It should be obvious that I referred to this discussion!


Wasn't obvious to me, but I get your point now.
Again, if you arent of any help, whats the purpose of your postings?


I don't need a purpose to be posting here, but if you need a reason
for my postings: they may have been of help to people who don't read
alt.html and would give you the same answers as you've been given
there already.

If you want to ask the same question in a new group, it's nice to
actually refer to the other thread, so that whoever is interested, can
read up on what solutions have already been given/tried/dismissed.

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Flash And The Pan - Midnight Man
Jul 23 '05 #12
Michael Rozdoba wrote:

If all you want is an answer to the question, this should suffice:

Yes.

I suspect that isn't the response you want, so to second guess you:

Yes, the browser programmers.
Pardon?

Does having an answer to your question, rather than a discussion, help
you at all? No, I didn't think so.
I asked a question and hoped for an answer, which can turn into a
discussion, but I didnt ask for the kind of responses Els came up so far.

To be slightly more helpful, you certainly can't do it with html or css.


Well, there are implementions which accomplish it. Whether they do it
via HTML, CSS or HTTP is part of the question and if you do not know it,
then it is fine (I dont know it either, otherwise I wouldnt have asked).
However nitpicking doesnt help an inch.

Alex
Jul 23 '05 #13
On Mon, 28 Mar 2005 16:08:54 GMT, Alex <no*@for.spam> wrote:
Els wrote:
People trying to think with you to solve your problem is a senseless
discussion? How about saying that to the person who just posted a new
message to your thread in alt.html? I'd bet he would stop thinking for
you.


It should be obvious that I referred to this discussion!

Again, if you arent of any help, whats the purpose of your postings?


This is not a helpdesk. Pay me about two thousand euros and I'll help you. I'll
even call you 'Sir' for that money. Laugh behind your back, but call you in your
face what ever you need to be happy and feel all superior and all.

Posting contents, questions and all remotely related, get discussed in here by
who ever feels a need to bud in. If you have a question and it does get answered
somewhere in the dynamics of the ongoing discussions, well, lucky you. But
answering to your specific demands is not why people participate in this
newsgroup.

--
,-- --<--@ -- PretLetters: 'woest wyf', met vele interesses: ----------.
| weblog | http://home.wanadoo.nl/b.de.zoete/_private/weblog.html |
| webontwerp | http://home.wanadoo.nl/b.de.zoete/html/webontwerp.html |
|zweefvliegen | http://home.wanadoo.nl/b.de.zoete/html/vliegen.html |
`-------------------------------------------------- --<--@ ------------'
Jul 23 '05 #14
Barbara de Zoete wrote:

This is not a helpdesk. Pay me about two thousand euros and I'll help
you. I'll even call you 'Sir' for that money. Laugh behind your back,
but call you in your face what ever you need to be happy and feel all
superior and all.


A newsgroup is always also a kind of helpdesk. I will pay you exactly
nothing. However I also did not require a reply from you. If you cant be
of any help then this is fine - more or less - , but dont cry at me.
Jul 23 '05 #15
Els
Alex wrote:
Barbara de Zoete wrote:

This is not a helpdesk. Pay me about two thousand euros and I'll help
you. I'll even call you 'Sir' for that money. Laugh behind your back,
but call you in your face what ever you need to be happy and feel all
superior and all.


A newsgroup is always also a kind of helpdesk. I will pay you exactly
nothing. However I also did not require a reply from you. If you cant be
of any help then this is fine - more or less - , but dont cry at me.


May I remind me that you are the one crying?
<quote>
Anyway, I asked for an answer and not for a senseless discussion. If
you have an answer to my question, then please let me know. Otherwise,
whats the purpose?
</quote>

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Split Enz - Message To My Girl
Jul 23 '05 #16
Els wrote:

Wasn't obvious to me, but I get your point now.
Alright.

I don't need a purpose to be posting here, but if you need a reason
for my postings: they may have been of help to people who don't read
alt.html and would give you the same answers as you've been given
there already.
I am sorry, but your postings were rather complaints than actual
"responses".

Again, if you dont know an answer then its perfectly okay, but
complaining doesnt help.

If you want to ask the same question in a new group, it's nice to
actually refer to the other thread, so that whoever is interested, can
read up on what solutions have already been given/tried/dismissed.


That might be true.

Alex
Jul 23 '05 #17
Els
Alex wrote:
I didnt ask for the kind of responses Els came up so far.


<g>

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Skunk Anansie - Weak
Jul 23 '05 #18
David Dorward wrote:

Yes there are.
Yes there are - No there arent - Yes there are ......

Great, Kindergarten style!

Just show me "the" answer to my question! If it would have been answered
I wouldnt have asked again.

"Get real! This is a discussion group not a helpdesk. You post
something[,] we discuss it's implications. If the discussion happens
to answer a question you've asked[,] that's incidental."


As I already said, newsgroups are always a kind of helpdesk as well.
Jul 23 '05 #19
Els
Alex wrote:
Els wrote:

Wasn't obvious to me, but I get your point now.
Alright.

I don't need a purpose to be posting here, but if you need a reason
for my postings: they may have been of help to people who don't read
alt.html and would give you the same answers as you've been given
there already.


I am sorry, but your postings were rather complaints than actual
"responses".


Complaints? I was only clarifying what Barbara already mentioned,
namely that there was already a thread active on this subject in
alt.html.
Again, if you dont know an answer then its perfectly okay, but
complaining doesnt help.


I didn't complain, but even if I felt like complaining, it doesn't
matter that it doesn't help.
If you want to ask the same question in a new group, it's nice to
actually refer to the other thread, so that whoever is interested, can
read up on what solutions have already been given/tried/dismissed.


That might be true.


:-)

--
Els http://locusmeus.com/
Sonhos vem. Sonhos vo. O resto imperfeito.
- Renato Russo -
Now playing: Skunk Anansie - Weak
Jul 23 '05 #20
On Mon, 28 Mar 2005 16:20:50 GMT, Alex <no*@for.spam> wrote:
Barbara de Zoete wrote:
This is not a helpdesk. Pay me about two thousand euros and I'll help you.
I'll even call you 'Sir' for that money. Laugh behind your back, but call
you in your face what ever you need to be happy and feel all superior and
all.
A newsgroup is always also a kind of helpdesk.


You're wrong.
However I also did not require a reply from you.
Wrong again.
If you cant be of any help then this is fine - more or less - , but dont cry
at me.


LOL there is one every few weeks, this time it's you.

Bye bye,

*plonk*

--
,-- --<--@ -- PretLetters: 'woest wyf', met vele interesses: ----------.
| weblog | http://home.wanadoo.nl/b.de.zoete/_private/weblog.html |
| webontwerp | http://home.wanadoo.nl/b.de.zoete/html/webontwerp.html |
|zweefvliegen | http://home.wanadoo.nl/b.de.zoete/html/vliegen.html |
`-------------------------------------------------- --<--@ ------------'
Jul 23 '05 #21
me
"Els" <el*********@tiscali.nl> wrote in message
news:jy****************************@40tude.net...
Alex wrote:
These are no answers to my questions.

Anyway, I asked for an answer and not for a senseless discussion. If you
have an answer to my question, then please let me know. Otherwise, whats
the purpose?


[snip]

As you are doubtless unaware the purpose IMO is so that some can argue that
in their opinion you should not interfere/disable anything in the users
browser. I disagree completely since it's only possible to disable this
feature for the duration of the users visit to your page.

Here:
http://64.233.167.104/search?q=cache...+disable&hl=en

I found this for IE:
<form name="myForm">
<input type="password" name="myField" autocomplete="off">
</form>

Also this for IE:
<script language="JavaScript"><!--
document.myForm.myField.setAttribute('autocomplete ','on')
//--></script>

Here:
http://www.xulplanet.com/references/...leautocomplete

I found this for FF (don't know if it will work I use IE):
disableautocomplete
Type: boolean
Set this attribute to true to disable autocomplete on the textbox. This
might be used to temporarily disable autocomplete for a field.

More here but less informative:
https://lists.latech.edu/pipermail/j...ne/000817.html

If you suceed how about posting a link here (be prepared for flames and
naysayers but not from me of course).
Good Luck,
me
Jul 23 '05 #22
Alex <no*@for.spam> writes:
Just show me "the" answer to my question! If it would have been
answered I wouldnt have asked again.


Ever considered that your question might not *have* an answer, at
least not as you phrased it? :) You basically asked "how does this web
page do something" without saying *which* page. Always a difficult
question to give any answer to.

Anyway.

1) Some browsers don't support auto-completion at all.

2) In some browsers, there's an attribute that works to turn it
off. You say you're aware of this one already.

3) In some browsers, the user can choose whether or not to
autocomplete a particular form (field). Possibly this lets them
override autocomplete attributes on the input, possibly it
doesn't. Who knows.

Those are the three generic ones - note that 1 and 3 are entirely
user/browser-dependent and 2 only works in some browsers as well.

So...

Auto-completion is a *browser* feature, not a feature of HTML, CSS, or
anything else that you write [1]. So it's up to each individual browser
programmer whether they:
a) implement auto-completion at all
b) if they do, whether they give the page author any chance to disable it

The attribute seems to be reasonably widely-supported by browsers that
have form auto-completion. Any other method will probably be even less
supported, and it seems difficult to imagine that it would be widely
used. I don't know of any.

However...you say in your original post you've seen 'implementations'
that selectively turn off auto-complete without using the
attribute. Not having seen any of these myself, I can't begin to
guess. Do you have a URL for one or two of them so they can be looked
at more closely? What browser are you using? Which fields don't
autocomplete that you think should be?

[1] In principle, some combination of cookies, server-side scripts,
and Javascript might appear to work on a good day in the right browser
even if the browser doesn't natively support autocomplete. I *really*
wouldn't recommend going down that route, though.

--
Chris
Jul 23 '05 #23
me
"Barbara de Zoete" <b_********@hotmail.com> wrote in message
news:opsocvebv2x5vgts@zoete_b...
On Mon, 28 Mar 2005 16:08:54 GMT, Alex <no*@for.spam> wrote:
Els wrote:
People trying to think with you to solve your problem is a senseless
discussion? How about saying that to the person who just posted a new
message to your thread in alt.html? I'd bet he would stop thinking for
you.
It should be obvious that I referred to this discussion!

Again, if you arent of any help, whats the purpose of your postings?


[snip]
But
answering to your specific demands is not why people participate in this
newsgroup.


Speak for yourself. *My* primary reason for participating in this NG is
finding answers to questions that interest me. I enjoy a challenge and the
opportunity to help others.

Alex, did you see my other post in this thread? I think I found several
methods to accomplish your goal in IE and FF.
Signed,
me
Jul 23 '05 #24
Els wrote:
Alex wrote:
I didnt ask for the kind of responses Els came up so far.

<g>


From OP's attitude, I'd say you're doing something right, here. :)

--
Blinky Linux Registered User 297263
Who has implemented Usenet Solution #45933:
Now killing all posts originating at Google Groups

Jul 23 '05 #25
On Mon, 28 Mar 2005 15:55:33 GMT, Alex <no*@for.spam> wrote:

[...in a non attributed manner...]
These are no answers to my questions.
Lucky for you I have read the surrounding posts in this thread and got
the context from there. You should try to learn a thing or two about
usenet before you go on.
Anyway, I asked for an answer and not for a senseless discussion.
You are in the wrong place sonny. Usenet _is_ a place where discussions
take place.

It is _not_ you private help desk.
If you have an answer to my question, then please let me know.


I (and lots of others) could not care less; given your initial attitude
towards the media you are posting to.

--
Rex
Jul 24 '05 #26
On Mon, 28 Mar 2005 18:14:25 +0200, "Barbara de Zoete"
<b_********@hotmail.com> wrote:
On Mon, 28 Mar 2005 16:08:54 GMT, Alex <no*@for.spam> wrote:
Again, if you arent of any help, whats the purpose of your postings?
This is not a helpdesk. Pay me about two thousand euros and I'll help you. I'll
even call you 'Sir' for that money. Laugh behind your back, but call you in your
face what ever you need to be happy and feel all superior and all.


ROTFL :-)

--
Rex
Jul 24 '05 #27
Alex wrote:
does anybody know how to turn off the autocomplete feature for a certain
text field?
It depends on your browser, but I think most can only turn it on or off
for the whole form:

Firefox: When prompted during form submission, select "No" or "Never for
this site". or edit the options in the privacy tab.

IE: When prompted, selct "No" or edit the AutoComplete options in the
content tab.

Other browsers should have similar options available too, consult their
user documentation for more information.
I am aware of the "autocomplete" attribute


That attribute is the only way for an author to request a that a user's
user agent not remember form field values. However, *what right do you
have to take over my system and decide when I want to let my browser
remember my passwords and other form values*???

Luckily there are ways for a user to override this attribute in *some*
browsers, though it's not easy and it's something the user shouldn't
even have to do.

See this recent thread [1] in the WHAT-WG mailing list that explains why
this attribute cannot be used, why browsers support it, why authors
should not use it, why there is an attempt to standardise it and, most
importantly, *why you must not use this attribute*!

[1]
http://listserver.dreamhost.com/pipe...read.html#3183

--
Lachlan Hunt
http://lachy.id.au/
http://GetFirefox.com/ Rediscover the Web
http://GetThunderbird.com/ Reclaim your Inbox
Jul 24 '05 #28
Alex wrote:
Hello,

does anybody know how to turn off the autocomplete feature for a certain
text field?

I am aware of the "autocomplete" attribute, but I have seen other
implementions achieving it without any such attribute and am wondering
whether there is another way to do it .... like via CSS or a naming
convention or .......

Thanks,
Alex


As far as I can tell - based on testing a couple of banking sites -
autocomplete does not 'work' in IE or Firefox if HTTPS is being used.

However, since I don't have access to my own HTTPS server, I can't
verify that.

--
Rob
Jul 24 '05 #29
Lachlan Hunt wrote:
[...]

That attribute is the only way for an author to request a that a user's
user agent not remember form field values.
Yes, but it is not the only way to prevent a user agent from
remembering user input. Let's say I add a randomly generated 8
character string to my input field names. Your browser won't
recognize the field, how will it auto fill it?
However, *what right do you
have to take over my system and decide when I want to let my browser
remember my passwords and other form values*???
Rights? What is this, life and death? Get a grip! The page author
can defeat any browser attempt at remembering form values - what if
they don't use HTML forms at all? Or generate random input names?
Or don't assign any name or label to the input and use JavaScript to
populate hidden fields before submission?

Sorry, autocomplete is a nice add-on, but it is utterly unreliable
and certainly not some inalienable 'right'.

Luckily there are ways for a user to override this attribute in *some*
browsers, though it's not easy and it's something the user shouldn't
even have to do.
So now you assume to know the requirements of all users?

See this recent thread [1] in the WHAT-WG mailing list that explains why
this attribute cannot be used, why browsers support it, why authors
should not use it, why there is an attempt to standardise it and, most
importantly, *why you must not use this attribute*!

[1]
http://listserver.dreamhost.com/pipe...read.html#3183


That thread contains a rather lop-sided series of comments regarding
the support that the WHAT Working Group specification should give to
the autocomplete attribute. There is no discussion of any of the
points you raise, least of all why it "cannot" or "must not" be used.

Indeed, if it were the view of that group that autocomplete can't or
mustn't be used, why is the outcome of the discussion that it
continue to be part of the specification?

--
Zif
Jul 24 '05 #30
Previously in comp.infosystems.www.authoring.html, Alex <no*@for.spam>
said:
Pardon?
Your question was:
does anybody know how to turn off the autocomplete feature for a certain
text field?


The answer of course, which Michael gave you, is yes. Someone knows.

Michael decided to try and guess your response to that answer. His guess
was that your next question would be, "Who?"

So his answer was, "the browser programmers".

IOW, the answer is the same as everyone else has already given you - it
is not, and should not be, in your control as the author. It is up to
the browser manufacturers (whether to implement autocomplete in the
first place), and the end user (whether to disable it in the browser/use
a browser that doesn't support it, etc).
Well, there are implementions which accomplish it.


In some browsers, under certain circumstances, in the right light,
maybe.

--
Mark Parnell
http://www.clarkecomputers.com.au
Jul 24 '05 #31
Previously in comp.infosystems.www.authoring.html, Alex <no*@for.spam>
said:
A newsgroup is always also a kind of helpdesk.
Who told you that rubbish? There are a handful of newsgroups that also
function as helpdesks - generally these are the ones with "helpdesk" in
the name of the group, e.g. news://24hoursupport.helpdesk. All others
exist purely for discussion on a given topic. As was pointed out in the
quote that David posted, any answers to your question are incidental to
the discussion.
I will pay you exactly nothing.


Then you get what you paid for. HTH. HAND.

--
Mark Parnell
http://www.clarkecomputers.com.au
Jul 24 '05 #32
Mark Parnell wrote:
[...]

IOW, the answer is the same as everyone else has already given you - it
is not, and should not be, in your control as the author.
That may be your opinion, but the question was whether there is a way
of disabling auto complete other than the autocomplete attribute. Not
one single reply (other than my own) has addressed the actual
question.
It is up to
the browser manufacturers (whether to implement autocomplete in the
first place), and the end user (whether to disable it in the browser/use
a browser that doesn't support it, etc).
Your opinion on the autocomplete attribute is irrelevant since the
original question was how to disable auto complete *other than* using
the autocomplete attribute.
Well, there are implementions which accomplish it.

In some browsers, under certain circumstances, in the right light,
maybe.


No, there are implementations that prevent auto complete from working
absolutely reliably in every case:

1. Use Flash forms and not HTML (requires Flash plugin)

2. Do not use names or labels on inputs (requires JavaScript support)

3. Assign random strings to input names so that they are not
recognised by the browser (requires HTML only)

4. Use HTTPS (less reliable but still pretty good).

No doubt there are other methods.

If a site that prevents auto complete from working annoys you enough
that you don't use it, then that is your choice as it was theirs to
prevent certain browser behaviour, even while maintaining full
compliance with the HTML 4.01 specification (which does not mention
"autocomplete" at all).
--
Zif
Jul 24 '05 #33
Zifud wrote:
Lachlan Hunt wrote:
Yes, but it is not the only way to prevent a user agent from
remembering user input. Let's say I add a randomly generated 8
character string to my input field names. Your browser won't
recognize the field, how will it auto fill it?
You basing that assumption on the way existing autocomplete features
work. There is nothing *preventing* the user agent remembering the
values except the limitations of the implementations. There is
certainly nothing in the markup doing so.
However, *what right do you have to take over my system and decide
when I want to let my browser remember my passwords and other form
values*???


Rights? What is this, life and death?


No, it's not life and death, it's about the right to make choices
yourself, without anyone else interfering.
Get a grip! The page author can defeat any browser attempt at remembering
form values - what if they don't use HTML forms at all? Or generate random input names?
Or don't assign any name or label to the input and use JavaScript to
populate hidden fields before submission?

Sorry, autocomplete is a nice add-on, but it is utterly unreliable
and certainly not some inalienable 'right'.
It is the right of the user to make use of the features in their user agent.
Luckily there are ways for a user to override this attribute in *some*
browsers, though it's not easy and it's something the user shouldn't
even have to do.


So now you assume to know the requirements of all users?


No. If you think that, then you've totally misunderstood the issue.
The point is that it should be the *user's* choice in the end, not the
author's, and user's that want to make the choice should be able to do
so easily.

See this recent thread [1] in the WHAT-WG mailing list that explains
why this attribute cannot be used, why browsers support it, why
authors should not use it, why there is an attempt to standardise it
and, most importantly, *why you must not use this attribute*!

[1]
http://listserver.dreamhost.com/pipe...read.html#3183


That thread contains a rather lop-sided series of comments regarding
the support that the WHAT Working Group specification should give to
the autocomplete attribute. There is no discussion of any of the
points you raise, least of all why it "cannot" or "must not" be used.


All the points are addressed either directly in the thread or there are
references to places that contain the explanation. Here's a very brief
summary.

Why browser's support it:
To meet the needs of some ignorant banking organisations that believe
it increases the security of their web pages.

Why it's being standardised:
Because specifications should document what browsers should support.

Why authors can not, should not and must not use it:
Because it is a user-hostile act to disable a user's user agent
feature designed to increase the usability of web sites for the user.
Indeed, if it were the view of that group that autocomplete can't or
mustn't be used, why is the outcome of the discussion that it
continue to be part of the specification?


Ignorance. I never said it was the view of the group, only that it
should not be used for the many reasons discussed in it.

--
Lachlan Hunt
http://lachy.id.au/
http://GetFirefox.com/ Rediscover the Web
http://GetThunderbird.com/ Reclaim your Inbox
Jul 24 '05 #34
Previously in comp.infosystems.www.authoring.html, Zifud
<Zi***@hotmail.com> said:
That may be your opinion, but the question was whether there is a way
of disabling auto complete other than the autocomplete attribute. Not
one single reply (other than my own) has addressed the actual
question.
See the part of my reply you snipped, or Michael's post,
42**********************@news.zen.co.uk - both answered the OP's exact
question. Perhaps it was not quite the question he/she wanted answered,
but it's the question that was asked.
Your opinion on the autocomplete attribute is irrelevant since the
original question was how to disable auto complete *other than* using
the autocomplete attribute.
I never mentioned the autocomplete attribute. I was talking about
autocomplete as a behaviour in general, not the one attribute (which, as
you rightly note, is non-standard anyway).
1. Use Flash forms and not HTML (requires Flash plugin)

2. Do not use names or labels on inputs (requires JavaScript support)
Well, removing form functionality is one way of preventing autocomplete,
but it's a bit drastic IMHO.
3. Assign random strings to input names so that they are not
recognised by the browser (requires HTML only)

4. Use HTTPS (less reliable but still pretty good).


My browser allows me to autocomplete form data in either of those
situations (and possibly the first 2 - I haven't tested).

--
Mark Parnell
http://www.clarkecomputers.com.au
Jul 24 '05 #35
Mark Parnell wrote:
Previously in comp.infosystems.www.authoring.html, Zifud
<Zi***@hotmail.com> said:

That may be your opinion, but the question was whether there is a way
of disabling auto complete other than the autocomplete attribute. Not
one single reply (other than my own) has addressed the actual
question.

See the part of my reply you snipped, or Michael's post,
42**********************@news.zen.co.uk - both answered the OP's exact
question. Perhaps it was not quite the question he/she wanted answered,
but it's the question that was asked.

Your opinion on the autocomplete attribute is irrelevant since the
original question was how to disable auto complete *other than* using
the autocomplete attribute.

I never mentioned the autocomplete attribute. I was talking about
autocomplete as a behaviour in general, not the one attribute (which, as
you rightly note, is non-standard anyway).

1. Use Flash forms and not HTML (requires Flash plugin)

2. Do not use names or labels on inputs (requires JavaScript support)

Well, removing form functionality is one way of preventing autocomplete,
but it's a bit drastic IMHO.

3. Assign random strings to input names so that they are not
recognised by the browser (requires HTML only)

4. Use HTTPS (less reliable but still pretty good).

My browser allows me to autocomplete form data in either of those
situations (and possibly the first 2 - I haven't tested).

--
Zif
Jul 24 '05 #36
Lachlan Hunt wrote:
Zifud wrote:
Lachlan Hunt wrote:
Yes, but it is not the only way to prevent a user agent from
remembering user input. Let's say I add a randomly generated 8
character string to my input field names. Your browser won't
recognize the field, how will it auto fill it?

You basing that assumption on the way existing autocomplete features
work.


Should I base them on how future implementations may work, or should
I stick with reality?

There is nothing *preventing* the user agent remembering the values except the limitations of the implementations. There is
certainly nothing in the markup doing so.
? Remembering individual values is only half the problem, it's
automatically associating certain values with particular fields on
individual web sites, like user id, password, etc. that is the
problem. It becomes an absolute no-brainer to hack into someones
bank account if the fields are filled in for you!

And if the site chooses to protect itself by preventing such automatic
field filling, who are you to say they can't?
However, *what right do you have to take over my system and
decide when I want to let my browser remember my passwords and other
form values*???

Rights? What is this, life and death?

No, it's not life and death, it's about the right to make choices
yourself, without anyone else interfering.


But you choose to dictate to site authors the features they can and
can't use on their site.
Get a grip! The page author can defeat any browser attempt at
remembering
form values - what if they don't use HTML forms at all? Or generate
random input names?
Or don't assign any name or label to the input and use JavaScript to
populate hidden fields before submission?

Sorry, autocomplete is a nice add-on, but it is utterly unreliable
and certainly not some inalienable 'right'.

It is the right of the user to make use of the features in their user
agent.


And the 'right' of every author to use the features provided by the
specification. Autocomplete (feature or attribute) is not part of
the HTML spec, and it can be easily defeated with perfectly valid
markup.

So where does that leave the respective party's 'rights'?
Luckily there are ways for a user to override this attribute in
*some* browsers, though it's not easy and it's something the user
shouldn't even have to do.

So now you assume to know the requirements of all users?

No. If you think that, then you've totally misunderstood the issue. The
point is that it should be the *user's* choice in the end, not the
author's, and user's that want to make the choice should be able to do
so easily.


No, the point is that users have the ability to use auto complete,
authors have the ability to make it useless. I don't see that will
ever change.

See this recent thread [1] in the WHAT-WG mailing list that explains
why this attribute cannot be used, why browsers support it, why
authors should not use it, why there is an attempt to standardise it
and, most importantly, *why you must not use this attribute*!

[1]
http://listserver.dreamhost.com/pipe...read.html#3183
That thread contains a rather lop-sided series of comments regarding
the support that the WHAT Working Group specification should give to
the autocomplete attribute. There is no discussion of any of the
points you raise, least of all why it "cannot" or "must not" be used.

All the points are addressed either directly in the thread or there are
references to places that contain the explanation. Here's a very brief
summary.

Why browser's support it:
To meet the needs of some ignorant banking organisations that believe
it increases the security of their web pages.


That assertion is made without single reference or quote, which was
my point. And the sole reason offered is that particular users like
to use autocomplete and are offended if it doesn't work.

So what? Not one single pertinent argument was given as to why it
should be banned, other than "I want it".

The primary argument for preventing it is to ensure the users'
security, that the computer they are using can't remember what the
site believes is sensitive information.

Why it's being standardised:
Because specifications should document what browsers should support.
What? Standards are some kind of 'as-built' document? Whilst that
argument was offered, it simply doesn't stand up.

Why aren't the many other MS proprietary methods in standards? Just
about all browsers support innerHTML, but its chances of making
it into some future version of the DOM are remote at best.

Let's put this one to rest:

"...the most fundamental Web technologies must be compatible with
one another and allow any hardware and software used to access the
Web to work together. ... By publishing open (non-proprietary)
standards for Web languages and protocols, W3C seeks to avoid
market fragmentation and thus Web fragmentation.

"Tim Berners-Lee and others created W3C as an industry consortium
dedicated to building consensus around Web technologies."

<URL:http://www.w3.org/Consortium/>

In other words, standards exist to ensure interoperability and
promote collaboration.

Browsers and standards are not in existence purely for user's
convenience - they exist as a platform for the web. If they don't
implement features required by web sites, then the sites will not
support them. If they don't support features wanted by users, then
users won't use them.

A browser author's dilemma is to walk the fine line between the two,
and a specification writer's job is to work out what features should
be in the standard and what shouldn't. The rationale for choosing one
particular feature may be totally different from that used to select
(or reject) another. No single player has absolute right of veto
over what any other player wants.

The attitude here seems to be that any attempt by a web site to
ensure user ID or password security is an attack on civil liberties.

Why authors can not, should not and must not use it:
Because it is a user-hostile act to disable a user's user agent
feature designed to increase the usability of web sites for the user.
Just wait for the day some suitably empowered user sues a site for
not ensuring the security of their user ID and password when the
tools were available to do it.

Any site that doesn't support my choice of browser and OS doesn't get
my business. I let them know my greivance in an e-mail, and once or
twice it has actaully resulted in changes to sites.
Indeed, if it were the view of that group that autocomplete can't or
mustn't be used, why is the outcome of the discussion that it
continue to be part of the specification?

Ignorance.


That group is ignorant? So why reference a bunch of ignoramuses?

I never said it was the view of the group, only that it should not be used for the many reasons discussed in it.


The only reason I saw was that some posters thought it was an attack
on their personal space if a page author dared interfere with a
feature of their browser. It can be just as easily answered that it
is the right of any site to disallow features they believe are
detrimental to their users security.


--
Zif
Jul 24 '05 #37
Mark Parnell wrote:
[...]
See the part of my reply you snipped, or Michael's post,
42**********************@news.zen.co.uk - both answered the OP's exact
question. Perhaps it was not quite the question he/she wanted answered,
but it's the question that was asked.
You answered the part of the question that had already been answered,
not the part that the OP still required to be answered.

No, it wasn't the answer required and the OP said so.

[...]
1. Use Flash forms and not HTML (requires Flash plugin)

2. Do not use names or labels on inputs (requires JavaScript support)

Well, removing form functionality is one way of preventing autocomplete,
but it's a bit drastic IMHO.


It achieves the OP's request - prevent auto complete without using
the autocomplete attribute.

Drastic? Maybe, but effective. :-x

3. Assign random strings to input names so that they are not
recognised by the browser (requires HTML only)

4. Use HTTPS (less reliable but still pretty good).

My browser allows me to autocomplete form data in either of those
situations (and possibly the first 2 - I haven't tested).


As noted, 4. is less reliable. But unless your browser provides a
list of every entry you've ever put into any form field, how will it
know that the field that was y76Km98 last time is now plOi98k? I can
encrypt every single field name & id based on a seed I generate at
the server and keep just for your current session and generate new
names & ids every time you refresh the page.

Drastic? Yes. CPU intensive at the server? Yes. But I defy any
browser to defeat it (and yes, I'd shuffle the position of elements
in the form). Of course, your browser can still guess at entries
using type-ahead, but the chances of anyone getting a user id or
password that way are greatly reduced.

As a last note, it is only worthwhile defeating auto complete on a
few sensitive fields. Is it really worth all this hassle just to
*reduce* security on obvious targets? How many large companies
allow a users PC to have the user ID and password auto-completed when
the user turns the machine on?
--
Zif
Jul 24 '05 #38
Zifud wrote:
Mark Parnell wrote:
[...]
See the part of my reply you snipped, or Michael's post,


You answered the part of the question that had already been answered,
not the part that the OP still required to be answered.


Required? On usenet? When did that start? ;)

s/required/desired/

--
Reply email address is a bottomless spam bucket.
Please reply to the group so everyone can share.
Jul 24 '05 #39
RobG wrote:

As far as I can tell - based on testing a couple of banking sites -
autocomplete does not 'work' in IE or Firefox if HTTPS is being used.


FYI, HTTPS autocomplete does work in FF, at least in the build I'm using.

--
Reply email address is a bottomless spam bucket.
Please reply to the group so everyone can share.
Jul 24 '05 #40
On Mon, 28 Mar 2005, Alex wrote:
Just show me "the" answer to my question! If it would have been
answered I wouldnt have asked again.
I sense an application for killfile membership...
"Get real! This is a discussion group not a helpdesk. You post
something[,] we discuss it's implications.
Oh please: the original author of that quote surely did know that
news:alt.possessive.its.has.no.apostrophe
If the discussion happens to answer a question you've asked[,]
that's incidental."


Indeed.
As I already said, newsgroups are always a kind of helpdesk as well.


Newsgroups can indeed be very helpful, but only if you approach
newsgroups in the right frame of mind, i.e as a discussion group. I
see little evidence of the complainants doing that. As such, they'll
be going into the short-term killfile, in the hope that by the time
that entry times-out, they'll have decided to either join-in with the
proper usenet discussion, or to find some other kind of forum for
their "this isn't the answer that I demanded" attitude.

until then, bye
Jul 24 '05 #41

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

reply views Thread by Thorsten Ottosen | last post: by
2 posts views Thread by Mrinal Kamboj | last post: by
8 posts views Thread by nil | last post: by
5 posts views Thread by Doug | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by Marylou17 | last post: by
1 post views Thread by Marylou17 | last post: by
1 post views Thread by Marylou17 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.