22815 – Both autocomplete="on" and autocomplete="off" are UA hints and thus should use MAY, not SHOULD language

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 22815 - Both autocomplete="on" and autocomplete="off" are UA hints and thus should use MAY, not SHOULD language

Summary: Both autocomplete="on" and autocomplete="off" are UA hints and thus should us...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	WHATWG
Classification:	Unclassified
Component:	HTML (show other bugs)
Version:	unspecified
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	Unsorted
Assignee:	Ian 'Hixie' Hickson
QA Contact:	contributor

URL:
Whiteboard:
Keywords:

Depends on:	22814
Blocks:
	Show dependency tree / graph

Reported:	2013-07-26 17:33 UTC by Edward O'Connor
Modified:	2013-09-26 18:04 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description Edward O'Connor 2013-07-26 17:33:39 UTC

+++ This bug was initially created as a clone of Bug #22814 +++

Currently, the spec for autocomplete="off" says

> When an element's autofill field name is "off", the user agent should not remember the control's value, and should not offer past values to the user.

And SHOULD, in RFC 2119, basically means "MUST unless you have a really good reason."

Consider a site with a user signup form and a login form. The signup form doesn't have autocomplete attributes. A user starts to fill in the registration form, and the user's browser offers to create a new, unique password for this site. The user agrees.

Later on, the user browses to the site and tries to log in. The login form has autocomplete="off". Per spec, the UA should not offer to fill in the stored password for the user, because the author expects the user to type the password in themselves. But in this scenario the user doesn't even know the password in the first place.

Ultimately, the autocomplete="" attribute represents a hint to UAs, but UAs should be free to do whatever is in their user's interests with the hint.

Comment 1 Ian 'Hixie' Hickson 2013-07-26 22:23:28 UTC

It's SHOULD because there's a strong reason for why browsers should follow the hint rather than ignore it: banks will freak out and block you if you don't follow it. So unless you have a good reason to ignore it (such as, you happen to know that the site's password was autogenerated and so the user hasn't a hope in heck of knowing what it is), you shouldn't ignore it.