views:

8082

answers:

11

When using the xhtml1-transitional.dtd doctype, collecting a credit card number with the following HTML

<input type="text" id="cardNumber" name="cardNumber" autocomplete='off'/>

will flag a warning on the W3C validator:

there is no attribute "autocomplete".

Is there a W3C / standards way to disable browser auto-complete on sensitive fields in a form?

+8  A: 

I would be very surprised if W3C would have proposed a way that would work with (X)HTML4. The autocomplete feature is entirely browser-based, and was introduced during the last years (well after the HTML4 standard was written).

Wouldn't be surprised if HTML5 would have one, though.

Edit: As I thought, HTML5 does have that feature. To define your page as HTML5, use the following doctype (i.e: put this as the very first text in your source code). Note that not all browsers support this standard, as it's still in draft-form.

<!DOCTYPE html>
Henrik Paul
All browsers expect older versions of Konqueror support it. Even IE6 supports it. It's the doctype to go.
BalusC
+14  A: 

No, but browser auto-complete is often triggered by the field having the same name attribute as fields that were previously filled out. If you could rig up a clever way to have a randomized field name, autocomplete wouldn't be able to pull any previously entered values for the field.

If you were to give an input field a name like "email_<?= randomNumber() ?>", and then have the script that receives this data loop through the POST or GET variables looking for something matching the pattern "email_[some number]", you could pull this off, and this would have (practically) guaranteed success, regardless of browser.

Phantom Watson
Interesting idea, thanks
matt b
This would make automatic testing harder.
David Waters
Would make automatic testing harder, only if your testing software cant cope check for / read fields that might have a random number appended to them. Might be time to upgrade your automated testing software.
corydoras
+12  A: 

No, a good article is here https://wiki.mozilla.org/The_autocomplete_attribute_and_web_documents_using_XHTML

I would continue to use the invalid attribute. I think this is where pragmatism should win over validating.

David Waters
Can you recommend any articals on pragmatisium? :)
Phantom Watson
Patronising means talking down to someone Phantom :)
TreeUK
+1  A: 

Not ideal, but you could change the id and name of the textbox each time you render it - you'd have to track it server side too so you could get the data out.

Not sure if this will work or not, was just a thought.

Kieron
+32  A: 

'autocomplete' is a non-standard attribute, I'm afraid.

Here is a good article from the MDC which explains the problems (and solutions) to form autocompletion. Microsoft has published something similar here, as well.

To be honest, if this is something important to your users, 'breaking' standards in this way seems appropriate. For example, Amazon uses the 'autocomplete' attribute quite a bit, and it seems to work well.

If you want to remove the warning entirely, you can use JavaScript to apply the attribute to browsers that support it (IE and Firfox are the important browsers) using someForm.setAttribute( "autocomplete", "off" ); someFormElm.setAttribute( "autocomplete", "off" );

Finally, if your site is using HTTPS, IE automatically turns off autocompletion (as do some other browsers, as far as I know).

Nick Presta
Looks like Firefox doesn't turn off autocomplete on https, but that's a useful piece of knowledge. Thanks!
matt b
+5  A: 

HTML 4: No
HTML 5: Yes

Zaagmans
+6  A: 

How about setting it with javascript?

var e = document.getElementById('cardNumber');
e.autocomplete = 'off'; // Maybe should be false

It's not perfect but your HTML will be valid.

Greg
I like this idea too, as a workaround
matt b
A: 

The argument that this should be a user-agent decision in all cases is just silly to me. The reality is that in many cases the scope of privacy risk goes beyond the authenticating user. Millions of smartphones are lost in the US each year, do you want your financial advisor saving the password they use to manage YOUR account on their mobile device? It doesn't matter how securely it's stored on the device if an attacker has access to the runtime OS. You could argue that access to the device should be protected with a password, or that strong authentication should be used. Then there's reality.

The password form field is part of the spec, and it masks entry. I'm sure many users would like to see what they enter. Why is that okay, but not disabling autocomplete? I think it is appropriate to be part of the HTML 5 spec.

Matt
A: 

Valid autocomplete off

<script type="text/javascript">
    /* <![CDATA[ */
    document.write('<input type="text" id="cardNumber" name="cardNumber" autocom'+'plete="off"/>');
    /* ]]> */ 
</script>
Southampton Web Design
surely if a user had JS switched off though, they can't complete an order as they can't enter their card number?Better to supplement the attribute via JS I'd say - worst case, JS off gives the card number field with the potential for auto-complete, but at least they can place an order...just a thought :)
Terry_Brown
A: 

I you use jQuery, you can do something like that :

$(document).ready(function(){$("input.autocompleteOff").attr("autocomplete","off");});

and use the autocompleteOff class where you want :

<input type="text" name="fieldName" id="fieldId" class="firstCSSClass otherCSSClass autocompleteOff" />

If you want ALL your input to be autocomplete=off, you can simply use that :

$(document).ready(function(){$("input").attr("autocomplete","off");});

Totoche
Just using HTML5 doctype is easier and better.
BalusC
this isn't really valid html anyway, it's just setting the (invalid) `autocomplete` attribute in a different way other than in the html
matt b
A: 

I suggest catching all 4 types of input: $('form,input,select,textarea').attr("autocomplete", "off");

http://www.w3.org/Submission/web-forms2/#the-autocomplete

http://dev.w3.org/html5/markup/input.html

Malartre