the IE blog Eric Lawrence’s blog, IE 11 has an “improved Password manager” which “keeps [the] user in control”. So far so good (here at Mozilla, we’re all in favour of user control :-), but it then goes on to say that one of the ways it does so is that it “ignores autocomplete=off”.
autocomplete=off is the way that pages give a “hint” to the browser as to what sort of form autocomplete behaviour they should provide. Ignoring it is, as I read the HTML5 spec, permitted, and one can see the superficial attractiveness of this. I’m sure we’ve all come across pages where the form fields won’t save even when we want them to.
Ignoring autocomplete=”off” leads to an arms race, with users as the losers. So I hope Microsoft reconsider this move.
I keep a Chrome extension to ignore the autocomplete attribute; it is already being abused by websites to disable password saving by websites that want to be more “secure”. That’s unacceptable to me; I have to actually side with Microsoft on this one; though they could be more selective with when they ignore autocomplete=off (IE if it is on a password form field, THEN ignore it for the whole form, but never ignore it for fields that look like credit card numbers etc) or change the “Do you want to save this password” prompt slightly to indicate the website does not recommend saving it, but still keeping the user in control.
Isn’t this just another example of the same attitude that made them think enabling DoNotTrack by default was a good idea? Do what works now, and forget about the impact it will have in the future.
On the other hand, I do wish more fewer sites would use autocomplete=off, especially as form auto complete typically *improves* security, but allowing people to use more complicated password.
Check how safari solves this on an elegant way (simple hint shown when you are entering the field marked autocomplete=”off” first time and shows that the web site forbids to save the content of the filed, that is a solution, not to ignore the otherwise standard property)
MS solution is the worst that can be imagined and theirs cause is a joke.
Totally agree, MS is on the good old wrong path as many times earlier!
Just for the record, the mentioned solution does not work if listening on form submit event, that time is too late, IE will already confirm the password save, you should do the trick in the (submit typed) button onclick handler!
It should be possible for the user to cause this behavior (i.e., to cause autofill to work no matter what the website says). This should be possible to do on a site-by-site basis, and it should be possible to do it globally. Incidentally, it should be possible to do for textarea fields, not just single-line fields (although I don’t think you’d ever want to enable textarea autofill globally for all textarea fields on all sites; that would cause more problems than it would solve).
I can see, however, that maybe it ought not to be the default behavior.
@Dan: Ignoring autocomplete=off *only* occurs for type=password, and thus it wouldn’t apply to your credit card fields.
@Gerv: Just to be clear, that’s my blog (IEInternals), not the IE team’s official blog (IEBlog)
Eric: you are quite right; my apologies. I have updated the post.
Pingback: html - Comment faire pour désactiver la saisie semi-automatique pour un HTML champ de mot de passe dans IE11?