Make Pale Moon autocomplete adhere to W3C standards

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
LoveNewBrowser

Make Pale Moon autocomplete adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-13, 12:24

Pale Moon as well as IE and Chrome (but not Firefox) appears to ignore W3C standards in some cases. One is the autocomplete attribute as in this example:

Code: Select all

<input autocomplete="off" id="Password" maxlength="50" name="Password" style="width:180px" type="password" value="" />
A page with the above line in the source still triggers Pale Moon to ask if the password is to be saved although the code explicitly asks the browser not to do that. This is part of the W3C HTML standard and needs to be honored. If this is good or bad for the user is a different discussion (I think it is bad because it weakens security), the point to be made here is that the autocomplete attribute is part of the standard and standard compliance is not negotiable. There are processes in place to amend the standard and those should be used instead.
Last edited by Moonchild on 2014-07-23, 12:26, edited 1 time in total.
Reason: Clarified subject

Supernova

Re: Make Pale Moon adhere to W3C standards

Unread post by Supernova » 2014-07-13, 12:40

This is a voluntary move ; and Firefox do the same (indeed, the patch used was a FF one)
I'll link to the topic where the decision was done when I'll find it.
EDIT : http://forum.palemoon.org/viewtopic.php?f=3&t=4661

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-13, 13:58

Standards compliance is most definitely negotiable. If it wasn't then none of the current browsers out there would be allowed to be published. Whether the password manager controlled fields are part of the text input field HTML spec is also a point of debate, see below, and my understanding from the standard (actually, Draft!) from June 2014 is that overriding it is perfectly fine if user-initiated (which it is in case of Pale Moon's password manager).

Autocomplete=off is honored in Pale Moon in accordance with the standard, with the (deliberate) exception for login credentials covered by the password manager. This exception is made because of the spurious use of Autocomplete=off on websites that "do not trust password managers to do their job properly". You can call it a conflict of interest: the autocomplete=off setting would allow a website to determine that you, as a user, are denied from using a core feature of your client program. A website should never be allowed to do this if the feature is an opt-in feature. If you opt-in to saving passwords, then you should always be allowed to use your opt-in feature.

Also: Because it is opt-in, it also most definitely does not weaken security - nothing is ever stored without your permission.

EDIT: Borrowed from Mr. Garrett
I think some people out there somewhere might think regular form autocomplete is the risk they're trying to avoid with 'autocomplete="off"'. That's theoretically a valid concern, but password fields should already not be covered by regular form autocomplete in any sane browser. This flag exists to prevent autocomplete from remembering SSNs, credit card numbers, encryption/login keys, and other sensitive information that would otherwise be automatically remembered. It doesn't appear to have been created to give pages the ability to override an *opt-in* feature of the user's browser.

There's really no reason to consider the password manager to be "autocomplete" in this respect. It is an opt-in feature that won't be automatically completing anything unless the user explicitly asks it to do so for the specific site. The spec [1] doesn't actually recommend the password manager be overridden here. It's all about the form field autocomplete features, including different types of fields, what data they have and should be remembered and auto-filled for them. If form autocomplete and the password manager are considered two separate features, then there's no reason for the password manager to be affected by this flag at all.

[1] http://www.w3.org/TR/html5/forms.html#autofilling-form-controls:-the-autocomplete-attribute
From [1], note:
A user agent may allow the user to override an element's autofill field name, e.g. to change it from "off" to "on" to allow values to be remembered and prefilled despite the page author's objections, or to always "off", never remembering values.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

LoveNewBrowser

Re: Make Pale Moon adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-13, 15:16

Thanks for the quick replies. Two points
- why have standards when the world thinks it is perfectly fine to ignore them? The autocomplete off makes most sense for password fields from a security point of view
- in this case I took that line off a site that is likely to be used from browsers running on shared environments. Think public library although in my case that is not the most likely scenario. Sure, we can all blame the dumb user to always just click Yes for everything (something they got groomed to do with long EULAs and multipage install wizards), but this browser behavior negates a quite useful feature.

If there is no intent to fix this then there is no point in discussing it further...as frustrating as this is.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-13, 15:36

I think you're missing the point here :)
LoveNewBrowser wrote:why have standards when the world thinks it is perfectly fine to ignore them?
The standards aren't being ignored. The allowed exception to the application of autocomplete=off is being properly applied in accordance with the draft. I may not have worded myself perfectly when I said that "it's negotiable" - I meant that there is no hard and fast rule that everyone has to adhere to all standards at all times, and there is no requirement that every client adheres to all points of a standard. That can be considered a recommended improvement, but in this case it doesn't apply since the standard is followed.
LoveNewBrowser wrote:in this case I took that line off a site that is likely to be used from browsers running on shared environments. Think public library although in my case that is not the most likely scenario. Sure, we can all blame the dumb user to always just click Yes for everything (something they got groomed to do with long EULAs and multipage install wizards), but this browser behavior negates a quite useful feature.
I would expect shared environment browsers to be properly configured to disable a password manager or storage of private data for its users. Even so, it would most certainly not the browser's fault for applying this rule, nor to blame for both the shared computer admin and the computer user in question not following proper practice (and both being allowed to opt-in and in fact opting in to saving credentials). You can't blame the program for human error.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

jumba

Re: Make Pale Moon adhere to W3C standards

Unread post by jumba » 2014-07-13, 16:19

What if when autocomplete=off attribute is defined the prompt would not popup, but the password manager icon would still be shown in the url bar, which would allow to store the password that way.

I understand when bank sites do not want to let users to store passwords by default.

dark_moon

Re: Make Pale Moon adhere to W3C standards

Unread post by dark_moon » 2014-07-13, 16:53

I see what you mean, but the user must have the choice too.
For example a website put the code into their site, so every time i must paste my password. The site wasn't a bank site or a security site.

So i like the fix.

User avatar
Trippynet
Fanatic
Fanatic
Posts: 238
Joined: 2014-06-03, 20:21
Location: UK

Re: Make Pale Moon adhere to W3C standards

Unread post by Trippynet » 2014-07-13, 17:12

Me too. Personally I feel it should be up to me whether I save a password and I find none-major sites which try to block it very annoying indeed.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-13, 19:36

There's a flipside as well to this whole thing: not allowing users to store passwords is a security issue in itself.
If people are forced to always type in passwords, they are very likely going to gravitate towards using short, (very) weak passwords. In what way would that ever be a good thing?
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-13, 19:38

jumba wrote:I understand when bank sites do not want to let users to store passwords by default.
Pale Moon doesn't. Pale Moon asks you - it's never stored (and therefore used) automatically by default.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

LoveNewBrowser

Re: Make Pale Moon adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-15, 20:05

OK, proceeded with my tests and I kinda can see the user benefit for a Login page. BUT, I am currently crawling through a page that is used for adding new user accounts and the admin has a means to specify the initial password. That page, too, has the autocomplete set to off, but the password manager has no idea that this is not a login page and duly asks to save the password.
In this context ignoring the autocomplete attribute makes even less sense and is utterly annoying because why would I want to save the password for a different user account just because I add an account?

Sure, we could lobby for an override for the override...or we could just make browsers behave the way I asked for in my original post even if the specs somewhat suggest that it can be ignored. I understand why PM and other browsers work the way they do, but this is a case where power to the user is the wrong approach in my opinion.
Of course, we could make the password managers smarter, just can't think of a way on how to do that.
Last edited by LoveNewBrowser on 2014-07-15, 20:09, edited 1 time in total.

LoveNewBrowser

Re: Make Pale Moon adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-15, 20:09

Moonchild wrote:There's a flipside as well to this whole thing: not allowing users to store passwords is a security issue in itself.
If people are forced to always type in passwords, they are very likely going to gravitate towards using short, (very) weak passwords. In what way would that ever be a good thing?
That can be easily fixed by application design forcing the use of strong(er) passwords. I can fix that from a developer point...the ignoring of the autocomplete=off cannot be fixed by the dev.
Site security should be entirely up to the admin/dev and not to the user for exactly the reason given above.

SvenG

Re: Make Pale Moon adhere to W3C standards

Unread post by SvenG » 2014-07-15, 20:58

LoveNewBrowser wrote:OK, proceeded with my tests and I kinda can see the user benefit for a Login page. BUT, I am currently crawling through a page that is used for adding new user accounts and the admin has a means to specify the initial password. That page, too, has the autocomplete set to off, but the password manager has no idea that this is not a login page and duly asks to save the password.
In this context ignoring the autocomplete attribute makes even less sense and is utterly annoying because why would I want to save the password for a different user account just because I add an account?
Switch off the password manager (globally or just for that site).
Last edited by SvenG on 2014-07-15, 21:57, edited 1 time in total.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-15, 21:47

SvenG is right: the password manager is selectable on a site by site basis. If for your administrative interface, this is an undesirable effect (more an exception than a rule) then you can simply "never store passwords for this site" and you have your fine-grained control without it interfering with proper use of the password manager on any other login page on the web.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

LoveNewBrowser

Re: Make Pale Moon adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-15, 22:03

A) I cannot do that programmatically, that is up to the user and I cannot code the user.
b) Doesn't that disable it for the entire domain? What would be needed here is a "disable on this page" option,,,but even that falls short because as developer I have no control over what the user does. All I know is that due to the implementation in the browsers the user experience is not as good as it should be.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-15, 22:12

As a site developer you have no control over whether the user decides to opt in to using their password manager. That is the whole point of this change. As a site owner, you SHOULD NOT have a say over whether the user can use part of their client. That is up to the user to decide. The user is (should be) in control of their own browser.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

New Tobin Paradigm

Re: Make Pale Moon adhere to W3C standards

Unread post by New Tobin Paradigm » 2014-07-15, 22:30

Ok.. I am so sick of this. Time to chime in. One thing that I absolutely dislike is when Technology, Operating Systems, Software, The Open Web™, or ANYONE tries to tell me what I can and cannot do with my account, data, passwords, programs, media, or ANYTHING. We users who actually understand the consequences of things like storing passwords and the like should not be restricted from doing so because someone else THINKS they know what is best for us. We are the only one who can make that determination.

I fully approve this change that prevents some arbitrary entity who would dictate to me how my client functions depending on their unwillingness to provide full end to end support for those who MAY not be as well versed as I am on a particular issue. This goes way beyond autocomplete=off. It is a trend at the core of how things are seemingly progressing to take control out of our hands in the name of protecting us as if some of us have not EARNED the right to use our technology in any manor we see fit.

This type of nonsense has resulted or atleast been a contributing force in things like secureboot, drm, enforcing cryptographic checks on driver and software installation (including drm controlled app stores), UAC, selinux and the like. Basically the continued deprecation and removal of advanced and powerful features, customization, and choice resulting in things like Australis, Metro, Google's UX, and in general cloud services REPLACING local software.

While the default may be geared twords the lowest common denominator that is NOT EVER an excuse to remove or not consider the ability to change it. So this topic in my opinion and likely most is a waste of time and resources. Pale Moon respects the user choice not the choice of any arbitrary webmaster.

in summation this is my thought on this situation.
MozCo wrote:RESOLVED WONTFIX
Last edited by New Tobin Paradigm on 2014-07-15, 22:35, edited 1 time in total.

LoveNewBrowser

Re: Make Pale Moon adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-15, 22:33

As far as opting in, that would be acceptable from my point of view, but the default is to automatically provide the password manager services rather than the user stating that for this site enable password management, kinda the reverse of disabling password management for a site. So if the developer should have no say over how the user uses the client, why even have the autocomplete attribute at all? Or specific types of input fields, or any max lengths set, or....
I'm somewhat disappointed that this will go nowhere, but very encouraged that folks are willing to discuss this even if we end up disagreeing.

LoveNewBrowser

Re: Make Pale Moon adhere to W3C standards

Unread post by LoveNewBrowser » 2014-07-15, 22:40

mattatobin wrote:This type of nonsense....
I will use that as a defence when asked why our systems are not properly protected. Well, sir, some other developer thought it is nonsense to adhere with the explicit requests provided in my page code, that is why users are prodded to using password managers within the browser even in shared environments. Yes, sir, I know, secure OS do not have password managers for logins either.....all I can say is that I tried.
All I want is to prevent accidentally compromising accounts on shared environments. Would be nice if it is configurable, by default adhere to the page's request and if you really want to override it then explicitly enable that option. I don't think that your technology ought to override my technology, just sayin'....I guess we beaten the dead horse enough, it won't come back to life.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35479
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Make Pale Moon adhere to W3C standards

Unread post by Moonchild » 2014-07-16, 06:42

but the default is to automatically provide the password manager services rather than the user stating that for this site enable password management
Actually, Pale Moon is doing exactly what you ask: it asks the user to enable password management for a site "remember password for this site?". So what is the problem? It's opt-in. It's not automatic.

And I repeat, a shared environment computer requires it to be properly set up.

By default, the user should be in control, which they are right now. The site owner should not be in control, regardless of intended use of the site, because there is no reason why a webmaster should determine which parts of their program the user is allowed to have access to. If that is required, then I would even say one should have a custom client-server application pair instead of using the web. Oh gasp, yes, actually writing your own client software. :)

And I repeat as well, the autocomplete attribute is honored fully, with the deliberate exception where an opt-in client feature provides additional functionality to the user, as allowed by the W3C standard.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked