Google Chrome Auto Complete Hash! (autocomplete=”off”)

Hmm … Not sure I like this one tiny bit Google. Google has decided that it’s policy in regards to how Chrome will handle autocomplete=”off” directives is to completely ignore them, all the time. They are arguing that people use the built in password manager to allow for more diverse and complex passwords to be used for each site. I can sort of agree with this to some extent. Using the same password for lots of sites isn’t a good plan really and that is to some extent part of the good thing about OAuth and OAuth 2.0. At least you aren’t seeing an explosion of user accounts.

Anyway, the problem now is that this going to start impacting on how us web form developers organise our forms. Why? Well look at this example below:

login form problem

Since there is stored password info for this site in the Chrome password manager it attempts to pre-fill the form contents with this information. However, it has gotten it catastrophically wrong. It has in fact done EXACTLY what we don’t want. There is an email address field on the form that is left empty and the display name field is populated with the email address. The very reason there is a display name fields is so that we can show something to other users that ISN’T the email address. It’s ok since we have validation on that field to make sure whatever is entered isn’t an email address but that’s kinda missing the point.

The Solution?

Well it turns out that Chrome has gotten the password into the right box. Now the assumption that Chrome makes is that the any textbox preceding a password box MUST be an email address box, it completely ignores any text or the name of the input control and just plops the email address stored for the web site into that box and since that is the display name box the email address is put in there … great. Anyway, now that we know that we can do this …

login problem solved

And sleep better at night again …

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.