[pas]

Users don't use thousands of sites. If a site misbehaves and users want autofill on it, they should be able to override autocomplete=off for that site.

Google could even make an extension for this to allow users to gather and share a list of sites that behave in a user unfriendly way.

But of course, it was much easier to fuck up half of the Web.

Public choice and mandates are great for things that require cooperation and agreement against race to the bottom (like tax havens), not against autocomplete fucking off.

[briandear]

I have a site that deals with HIPPA protected information. I absolutely don’t want autofill, especially for sign in information. Chrome makes that impossible and just ignores the code.

[bshacklett]

Could you explain the downside of allowing auto-fill for sign-in information here? I understand that security is a concern, but I don't see how allowing a password manager to handle sign-ins would be harmful.

[TJSomething]

In a medical setting, most computers are public. Sharing passwords is a HIPAA violation, because HIPAA requires a complete, accurate log of everyone who has looked at or modified a medical record.

My guess is that many medical computers aren't well administrated and leave autofill on, which can easily cause accidental HIPAA violations.

[bshacklett]

Disabling autofill seems like the wrong way to handle the problem, though. Autofill does not necessarily mean that passwords are being shared; it just means that the user isn't typing them in. Strong policies on the machines in question and ensuring that users aren't sharing each others environments seems like a considerably more complete solution to me. This can be facilitated by tools like https://www.imprivata.com/single-sign-on-sso. Ironically enough, disabling autofill may actually prevent this tool from providing some of the benefits it's intended to provide.

[ysavir]

While I agree that autofill on its own is not a complete solution to GP's scenario, it's certainly a potential point-of-failure, and I understand their need to eliminate as much risk as possible. While the most significant aspect to be improved is the security habits of the clients themselves, that doesn't mean that GP and their company should be prevented from doing what little they can just because Google wanted things to work their way.

[pas]

That's why there are profiles. Even in Chrome. But too in Windows.

Or that's why then the SysAdmin should disable the password manager.

It's not up to the website.

If you have an internal site, you already control the browser, then why do you want to fight the browser from the inside instead of from the outside? :o

[johnbro]

I can't remember exact scenarios that triggered it, but I've seen situations where Chrome autofills data other than sign-in passwords as well (also ignoring autocomplete=off).

There was a form where administrator can change certain details of another user profile, and if e-mail (or name) field was empty on a profile, then chrome would autofill it with administrator's e-mail, which can result in unwanted / corrupted data.

Some replies in this thread suggest configuring chrome differently in organizations where this is important to avoid, but when you are SaaS vendor, your users will inevitably blame you for Chrome's behavior.

[Tyr42]

> If a site misbehaves and users want autofill on it, they should be able to override autocomplete=off for that site.

How?

What do you imagine?

[another-dave]

This website has turned off auto-complete, as they believe it may not work effectively for their forms.

* Turn on anyway * Leave disabled for this form

= Remember my choice for this website

[mcv]

With the same yellow bar at the top that they use for other issues. Tell them what the site is doing and ask whether they want to allow or block that, and whether to do that for all sites or only this one.

[winkeltripel]

We don't need to imagine. Lots of sites abused autofill in order to prevent password management. That's why autocomplete=off gets stomped.

[sumeno]

Do you have concrete examples of websites that are "fucked up" because of this?