IE 11 Ignoring “autocomplete=off”

According to the IE blog Eric Lawrence’s blog, IE 11 has an “improved Password manager” which “keeps [the] user in control”. So far so good (here at Mozilla, we’re all in favour of user control :-), but it then goes on to say that one of the ways it does so is that it “ignores autocomplete=off”.

autocomplete=off is the way that pages give a “hint” to the browser as to what sort of form autocomplete behaviour they should provide. Ignoring it is, as I read the HTML5 spec, permitted, and one can see the superficial attractiveness of this. I’m sure we’ve all come across pages where the form fields won’t save even when we want them to.

However, we at Mozilla have never agreed to ignore this attribute across the entire web to “fix” this problem, because what we think would happen then (and what may happen with IE) is that sites implement non-standard workarounds. For some people, such as banks, stopping the browser storing authentication credentials is a business requirement – no argument. And if we don’t provide a standards-compliant way of doing it, they’ll use a non-standard one. For example, they might read the form fields out in an onsubmit() handler, then blank them, and submit the values in differently-named hidden form fields – so when the submit happens, the browser “sees” those fields as empty and doesn’t save anything. This is worse because it means the page requires JavaScript, but also because it’s much harder or impossible for particular individuals to disable such work-around mechanisms (e.g. those with accessibility needs which make filling in form fields much harder, and who want to make a different trade-off).

Ignoring autocomplete=”off” leads to an arms race, with users as the losers. So I hope Microsoft reconsider this move.

8 thoughts on “IE 11 Ignoring “autocomplete=off”

  1. I keep a Chrome extension to ignore the autocomplete attribute; it is already being abused by websites to disable password saving by websites that want to be more “secure”. That’s unacceptable to me; I have to actually side with Microsoft on this one; though they could be more selective with when they ignore autocomplete=off (IE if it is on a password form field, THEN ignore it for the whole form, but never ignore it for fields that look like credit card numbers etc) or change the “Do you want to save this password” prompt slightly to indicate the website does not recommend saving it, but still keeping the user in control.

    • Check how safari solves this on an elegant way (simple hint shown when you are entering the field marked autocomplete=”off” first time and shows that the web site forbids to save the content of the filed, that is a solution, not to ignore the otherwise standard property)
      MS solution is the worst that can be imagined and theirs cause is a joke.

    • @Dan: Ignoring autocomplete=off *only* occurs for type=password, and thus it wouldn’t apply to your credit card fields.

      @Gerv: Just to be clear, that’s my blog (IEInternals), not the IE team’s official blog (IEBlog)

  2. Isn’t this just another example of the same attitude that made them think enabling DoNotTrack by default was a good idea? Do what works now, and forget about the impact it will have in the future.

    On the other hand, I do wish more fewer sites would use autocomplete=off, especially as form auto complete typically *improves* security, but allowing people to use more complicated password.

  3. Totally agree, MS is on the good old wrong path as many times earlier!

    Just for the record, the mentioned solution does not work if listening on form submit event, that time is too late, IE will already confirm the password save, you should do the trick in the (submit typed) button onclick handler!

  4. It should be possible for the user to cause this behavior (i.e., to cause autofill to work no matter what the website says). This should be possible to do on a site-by-site basis, and it should be possible to do it globally. Incidentally, it should be possible to do for textarea fields, not just single-line fields (although I don’t think you’d ever want to enable textarea autofill globally for all textarea fields on all sites; that would cause more problems than it would solve).

    I can see, however, that maybe it ought not to be the default behavior.

  5. I think Firefox should at least have a built-in option one can turn on manually to ignore autocomplete=off (I know there’s an add-on but built-in would be better in terms of user control). We then could do metrics on how many people switch that, just like we do for DNT.