VerySimple Developer Blog
Technical Tips, Tricks and Rants.
 
Mar
07
Forcing Firefox to obey autocomplete=”off” for password fields
Filed Under (Announcements, HTML, Javascript) by Jason on 07-03-2007

Autocomplete is a nice feature which fills in common form fields automatically for the user. However, in some cases you don’t want this to happen. IE uses a non-standard attribute (autocomplete=”off”) that can be added to an entire form or one specific input control. Besides the fact that this attribute will make your HTML markup fail compliance tests, Firefox seems to consider this tag merely a “suggestion” and will disregard it at times.

In particular, Firefox will *always* populate certain password fields. There is seemingly no way to tell Firefox not to fill in a field if it really wants to do so. This can be a very bad thing if you are dealing with a user preference page or something sensitive where you don’t want autocomplete to ever occur under any circumstance. Setting value=”" is equally worthless because Firefox seems to populate this value just after the page is rendered.

The following code however will work. The concept is basially to set a timeout a fraction of a second after the page loads which clears the password field. Technically Firefox still populates the field, however this script code removes it almost instantly. As an added bonus, because you are not using autocomplete=”off” your HTML markup should still validate. This code should be placed at the bottom of your page beneath your form.

<script language=”JavaScript” type=”text/javascript”>
// this brutally clears a password field in firefox
// compliments of verysimple.com
function clearPwBox()
{
if (document.getElementById)
{
var pw = document.getElementById(’MyPasswordFieldName’);
if (pw != null)
{
pw.value = ”;
}
}
}
window.setTimeout(”clearPwBox()”, 100);
</script>

This code could probably be made more generic by enumerating through the form elements and searching for a certain class name. This way you could have one script and simply append a classname to any field that you don’t want auto-complete to occur. This technique is similar to one posted on Chris Holland’s blog. Chris’s solution, however, is aimed exclusively at the Wc3 compliance issue. As you can see in his code he adds the autocomplete=”off” attribute, which allows the page to validate properly, but doesn’t solve the Firefox/Password field issue.

If you have a more graceful solution and/or decide to flesh this idea out, please post a comment and I’ll provide a link to your site.

Share This

 

Comments:
13 Comments posted on "Forcing Firefox to obey autocomplete=”off” for password fields"
Tara on March 29th, 2007 at 11:13 am #

Thanks, that’s useful. Cheers.


Charles on May 5th, 2007 at 12:47 am #

Here’s something similar using jQuery — wipe all of the password fields on the page at once.

$().ready(function(){setTimeout(”$(’input[@type=password]‘).attr(’value’, ”);”, 100);});


Jason on May 9th, 2007 at 11:01 pm #

thanks charles - i like that, nice and clean. i bet that code could be fairly easily ported to some other frameworks too - for people already including prototype, yui, etc, it could save some code.


Arjan van Bentem on May 14th, 2007 at 5:40 am #

> Setting value=”" is equally worthless because Firefox seems
> to populate this value just after the page is rendered.

…well: if Firefox somehow knows about some saved passwords (like when stored previously when autocomplete was not yet used) then it might still populate the password when the user enters the username. So: wait until page is loaded, wait some more, enter the user name and hit tab: voila, the password is there…

By the way: some folks want Firefox to offer the user the option to ignore the autocomplete setting: https://bugzilla.mozilla.org/show_bug.cgi?id=333080

Arjan.


Jason on May 14th, 2007 at 11:23 am #

hey arjan, that is a good point. i would say that 99% of the time this problem happens to me is on a “preferences” type of page where the user has the option to reset their password. But leaving the field blank keeps the password unchanged. Typically the user cannot change their username, so that doesn’t happen in my case - but i can see it is another situation to be aware of. It might be worth putting an onchange event in the username field to set the password to empty string.

As for the bug report - I would be happier if they added a an option to actually obey autocomplete consistently! I think the people who want auto-complete ignored might be unpleasantly surprised when they start seeing firefox change settings and such for them in random web applications. For example, auto-filling in their real email address on a public forum preference page. he he!


Dave Cardwell on August 31st, 2007 at 4:21 am #

You don’t need the timeout if you’re using jQuery’s .ready() function:

jQuery(function($) { $(’input:password’).val(”) });


Nick Sutherland on September 6th, 2007 at 5:57 pm #

Another alternative (workaround that works 100% without jQuery)

It seems as if FF is looking for type=”password” to trigger the autosave password troll to activate.

So, why not prevent the save of the password to begin with…

(very rough example…)

function hideFromPassTroll(formObj, keycode)
{
if(keycode==13)
{
document.getElementById(’password’).value=document.getElementById(’field2′).value;
document.getElementById(’field2′).value=”";
document.getElementById(’field2′).type=”text”;
formObj.submit();
}
}


Nick Sutherland on September 6th, 2007 at 5:59 pm #

…continued…


Nick Sutherland on September 6th, 2007 at 6:00 pm #

form id=”loginform” action=”post”
input type=”text” id=”username” onKeyDown=”hideFromPassTroll(this.form,event.keyCode);”
input type=”password” id=”field2″ onKeyDown=”hideFromPassTroll(this.form,event.keyCode);”
input type=”button” id=”submit” value=”submit”
onClick=”hideFromPassTroll(this.form,event.keyCode);”
onKeyDown=”hideFromPassTroll(this.form,event.keyCode);”
input type=”hidden” id=”password”
form


Jason on September 6th, 2007 at 6:38 pm #

Hey Nick, That seems to be a good idea too - If i understand, you’re using a hidden field for the real password and the visible password input is cleared onSubmit so that Firefox never receives the password - thus never saves it.

I hadn’t heard the term “password troll” before, he he, is that your own term?!


Nick Sutherland on September 6th, 2007 at 7:25 pm #

yeah, I figured it sounded more accurate than “autocomplete feature”.

I spent a few hours today trying to figure out how to trick FF and that’s what I came up with… seems to work reliably, but will require another method to set the “type” attribute for IE since it doesn’t seem to support direct access to it like I’ve used. I personally like that this method prevents the save in the first place.

Any simpler methods of doing this I wonder?


Nick Sutherland on September 6th, 2007 at 8:10 pm #

Ok, the simplest method that I could figure out, for changing the “field2″ type attribute of “password” to “text” is by killing off the entire “field2″ input.

So I wrapped the “field2″ HTML input element with a SPAN, then I modified things so that essentially:

formPassParentObj = document.getElementById(”field2″).parentNode;
formPassParentObj.innerHTML=”";

should now work in almost any browser that can modify innerHTML… maybe… probably… *shrugs*


Désactiver le remplissage automatique de mots de passe dans Firefox on October 24th, 2007 at 4:06 am #

[...] L’article sur VerySimple Dev Blog [...]


Post a comment

Name: 
Email: 
URL: 
Comments: 
Close
  • Social Web

NOTE: Email is disabled

E-mail It