Hacker News new | ask | show | jobs
by thaumasiotes 1842 days ago
I feel like repeating an old comment of mine ( https://news.ycombinator.com/item?id=27231194 ) here:

> Conforming to the spec is not a virtue.

> When the spec is malicious, conforming to the spec is malicious behavior.

> I'm comfortable calling it a bug in the spec. `a << 40` needs to have 0 in the lowest 40 bits. It does not need to have random values in bits 8-31.

> This behavior is documented, but that doesn't make things better, it makes them worse.

> But the philosophy that says "if it's documented, then it's OK" doesn't even allow for the concept of a bug in the spec.

Implementing a bad idea doesn't become a good idea just because someone once wrote that it was.
1 comments
vincnetas 1842 days ago
I think predictability is important. And specs define what you can expect. System with undefined/unpredictable behaviour does complicate a life in long run even if at the moment it looks more convenient.
link
wildrhythms 1842 days ago
If the topic is predictability, I would expect banks to use the spec to disable only predictably non-autofillable fields with the user's best experience in mind. Disabling autocomplete on username and password fields in the name of some nebulous 'security' goal is neither predictable, nor in line with most user's expectation of usability; it also doesn't make the system more secure. I could argue that these sites themselves aren't following the spec by disabling the fields.

Remember, there are autocomplete values to accommodate "current-password"[1]. If your bank has a field representing a password without that attribute, do you think that's following the spec?

[1] https://html.spec.whatwg.org/multipage/form-control-infrastr...

link