Reputation: 557
I have a Progressive Web App. First page is the login page. From there user is redirected to the other/final page (based on the user type). This last page is a Single Page Application. So, in this SPA there are some sections where user can change sensitive data. To be sure about the identity of user I request the password for confirmation. So far so good.
My problems appears with Chrome who wants to autocomplete the password field used for confirmation of the user. I ask nicely Chrome to stay away from those fields:
<input id="pass" value="" autocomplete="off" type="password">
I try without a form
to discourage browser to fill those fields, I try to use <form autocomplete="off">
- no chance.
Even more, after SPA is loaded, Chrome is filling password field despite the fact this section is HIDDEN!
I do not want to Create Amazing Password Forms, I do not want to Help users checkout faster with Autofill, I want Chrome to let some password fields in peace without being forced to do all kinds of tricks in this regard. I know when to "Create Amazing Password Forms", but this is not the case. I believe this behaviour is dangerous and it is against any notion of security.
My question is: what is the best approach to avoid Chrome's behaviour? I want autocomplete="off"
option to be respected. new-password
and off
are two totally different things.
This question can be quickly marked as duplicate for this or this questions but now is 2020 and I cannot find an elegant solution for my problem. I believe also that Chrome will not fix this bug (sorry, this feature) and will put "user experience" in front of any reasonable security measures.
So, dear Chrome, how can translate to you those little things:
autocomplete = "new-passord"
) when the user changes the password. This way you can make suggestions for choosing a more complicated password and even save the new password (which is left free to auto-complete at login). But in THIS form I do NOT want to fill in the current password. It's clear? What do you not understand from autocomplete = "off"
?Upvotes: 0
Views: 501
Reputation: 609
So the autocomplete attribute is no longer supported by some browsers, but you can try clearing the field (rendering the tag inaccessible by chrome) using javascript like this:
<input id="pass" value="" autocomplete="off" type="password" onfocusout ="this.setAttribute('readonly','readonly');" onfocus ="this.removeAttribute('readonly');">
Upvotes: 2