禁用 Safari 自动填充用户名和密码 [英] Disabling Safari autofill on usernames and passwords
问题描述
您可能已经知道,Safari 有一个令人讨厌的自动填充错误,无论您是否设置 autocomplete="off",它都会填充电子邮件、用户名和密码字段.
这是一个基本形式:
...Safari 在页面加载时自动填充这些字段,效果很好!
如果您将 autocomplete="off" 放在字段和/或表单元素中,Safari 仍会自动填充这些字段:
即使这样也行不通:
...因为 Safari 会查找那些 <label> 元素,如果它们包含电子邮件"、密码"等字样,并继续进行自动填充.
Aaaahhhhha!,我想,并尝试了这个:
...并使用 JavaScript 将 %TAGS% 替换为真实姓名.Safari 自动填充开始.无论您是否在替换时设置 10 秒超时.
那么,这真的是唯一的选择吗?
我希望不会?
更新:
- 如果我想保存我的 HIPPA 密码:这是我的权利
- 如果我想保存我的 PCI 密码:这是我的权利
- 如果我想保存用户的新密码":这是我的权利
- 如果我想保存一次性密码:这是我的权利
- 如果我想保存我的第一个颜色最喜欢的少女" 答案:那是我的权利.
否决用户的意愿不是你的工作.这是他们的浏览器;不是你的.
You might already know, that Safari has a nasty autofill bug where it fills email, username and password fields no matter if you set autocomplete="off" or not.
Here's a basic form:
<form action="/" method="post">
<p>
<label>E-mail</label>
<input type="text" name="email" value="" />
</p>
<p>
<label>Password</label>
<input type="password" name="password" value="" />
</p>
</form>
...Safari autofills those fields on page load like it should, job well done!
If you put autocomplete="off" to the fields and/or the form element, Safari still autofills those fields:
<form action="/" method="post" autocomplete="off">
<p>
<label>E-mail</label>
<input type="text" name="email" value="" autocomplete="off" />
</p>
<p>
<label>Password</label>
<input type="password" name="password" value="" autocomplete="off" />
</p>
</form>
Even this doesn't work:
<form action="/" method="post" autocomplete="off">
<p>
<label>E-mail</label>
<input type="text" name="secretfield1" value="" autocomplete="off"/>
</p>
<p>
<label>Password</label>
<input type="password" name="secretfield2" value="" autocomplete="off" />
</p>
</form>
...since Safari looks up those <label> elements if they contain words "E-mail", "Password" etc. and goes ahead with the autofill.
Aaaahhhhha!, I thought, and tried this:
<form action="/" method="post" autocomplete="off">
<p>
<label>%REPLACE_EMAIL_TITLE%</label>
<input type="text" name="%REPLACE_EMAIL_NAME%" value="" autocomplete="off"/>
</p>
<p>
<label>%REPLACE_PASSWORD_TITLE%</label>
<input type="password" name="%REPLACE_PASSWORD_NAME%" value="" autocomplete="off" />
</p>
</form>
...and replace %TAGS% with the real names using JavaScript. Safari autofill kicks in. No matter if you set a 10 second timeout on the replacement.
So, is this really the only option?
<form action="/" method="post" autocomplete="off">
<p>
<label>That electronic postal address we all use, but can't write the title here because Safari fills this with YOUR information if you have autofill turned on</label>
<input type="text" name="someelectronicpostaladdress" value="" autocomplete="off"/>
</p>
<p>
<label>A set of characters, letters, numbers and special characters that is so secret that only you or the user you are changing it for knows, but can't write the title here because Safari sucks</label>
<input type="password" name="setofseeecretcharacters" value="" autocomplete="off" />
</p>
</form>
I hope not?
UPDATE: @skithund pointed out in Twitter, that Safari is getting a 4.0.3 update, which mentions "Login AutoFill". Does anyone know if that update is going to fix this?
The reason browsers are ignoring autocomplete=off is because there have been some web-sites that tried to disable auto-completing of passwords.
That is wrong.
And in July 2014 Firefox was the last major browser to finally implement the change to ignore any web-site that tries to turn off autocompleting of passwords.
- June 2009: IEInternals blog where they discuss keeping the user in control (archive)
- February 2014: Chrome's announcement when they began ignoring
autocomplete=off(archive) - January 2014: Bugzilla Bug 956906 - ignore autocomplete="off" when offering to save passwords via the password manager (archive)
- Reddit discussion (archive)
One of the top user-complaints about our HTML Forms AutoComplete feature is "It doesn’t work– I don’t see any of my previously entered text." When debugging such cases, we usually find that the site has explicitly disabled the feature using the provided attribute, but of course, users have no idea that the site has done so and simply assume that IE is buggy. In my experience, when features are hidden or replaced, users will usually blame the browser, not the website.
Any attempt by any web-site to circumvent the browser's preference is wrong, that is why browsers ignore it. There is no reason known why a web-site should try to disable saving of passwords.
- Chrome ignores it
- Safari ignores it
- IE ignores it
- Firefox ignores it
At this point, web developers typically protest "But I wouldn’t do this everywhere– only in a few little bits where it makes sense!" Even if that’s true, unfortunately, this is yet another case where there’s really no way for the browser to tell the difference. Remember, popup windows were once a happy, useful part of the web browsing experience, until their abuse by advertisers made them the bane of users everywhere. Inevitably, all browsers began blocking popups, breaking even the "good" sites that used popups with good taste and discretion.
What if I'm a special snowflake?
There are people who bring up a good use-case:
I have a shared, public area, kiosk style computer. We don't want someone to (accidentally or intentionally) save their password so the next user could use it.
That does not violate the statement:
Any attempt by any web-site to circumvent the browser's preference is wrong
That is because in the case of a shared kiosk:
- it is not the web-server that has the oddball policy
- it is the client user-agent that has the oddball policy
The browser (the shared computer) is the one that has the requirement that it not try to save passwords.
The correct way to prevent the browser from saving passwords
is to configure the browser to not save passwords.
Since you have locked down and control this kiosk computer: you control the settings. That includes the option of saving passwords.
In Chrome and Internet Explorer, you configure those options using Group Policies (e.g. registry keys).
From the Chrome Policy List:
AutoFillEnabled
Enable AutoFill
Data type: Boolean (REG_DWORD)
Windows registry location: SoftwarePoliciesChromiumAutoFillEnabled
Description: Enables Chromium's AutoFill feature and allows users to auto complete web forms using previously stored information such as address or credit card information. If you disable this setting, AutoFill will be inaccessible to users. If you enable this setting or do not set a value, AutoFill will remain under the control of the user. This will allow them to configure AutoFill profiles and to switch AutoFill on or off at their own discretion.
Please pass the word up to corporate managers that trying to disable autocompleting of password is wrong. It is so wrong that browsers are intentionally ignoring anyone who tries to do it. Those people should stop doing the wrong thing.™
Put it another way
In other words:
- if the users browser
- mistakes "Please enter the name of your favorite maiden name's first color." for a new password
- and the user
- doesn't want their browser
- to update their password,
- then they
- will click Nope
- if i want to save my HIPPA password: that's my right
- if i want to save my PCI password: that's my right
- if i want to save the "new password for the user": that's my right
- if i want to save the one-time-password: that's my right
- if i want to save my "first color's favorite maiden" answer: that's my right.
It's not your job to over-rule the user's wishes. It's their browser; not yours.
这篇关于禁用 Safari 自动填充用户名和密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
