[wp-trac] [WordPress Trac] #41136: Login forms lacking autocomplete attributes

Wed Dec 29 07:54:18 UTC 2021

#41136: Login forms lacking autocomplete attributes
------------------------------+--------------------------------------------
 Reporter:  johnjamesjacoby   |       Owner:  (none)
     Type:  defect (bug)      |      Status:  new
 Priority:  normal            |   Milestone:  Awaiting Review
Component:  Login and         |     Version:
  Registration                |
 Severity:  normal            |  Resolution:
 Keywords:  needs-patch       |     Focuses:  accessibility, administration
------------------------------+--------------------------------------------
Changes (by rianrietveld):

 * focuses:   => accessibility, administration

Comment:

 Hey all, I'd like to give this ticket some attention and priority.

 **WCAG on autocomplete**
 For **WCAG 2.1 AA** autocomplete values are required in login forms.
 That's success criterion 1.3.5 Identify Input Purpose
 https://www.w3.org/WAI/WCAG21/quickref/?showtechniques=131%2C412#identify-
 input-purpose.

 In the new **WCAG 2.2 A** an additional success criterion wil be added to
 help users remember their login data, and using autocomplete is one of the
 techniques for that.
 That's success criterion 3.3.7 Accessible authentication
 https://www.w3.org/WAI/standards-guidelines/wcag/new-in-22/#337
 -accessible-authentication-a

 The release of 2.2 is planned for June 2022. Both success criteria are
 added to help people with a cognitive disability.

 So instead of adding autocomplete="off", as the patch suggests the values
 should be:

 {{{
 <input type="text" name="log" id="user_login" autocomplete="username"
 class="input" value="" size="20" autocapitalize="off" >
 }}}

 and

 {{{
 <input type="password" name="pwd" id="user_pass" autocomplete="current-
 password" class="input password-input" value="" size="20" >
 }}}

 All autocomplete values are listed on MDN: [The HTML autocomplete
 attribute](https://developer.mozilla.org/en-
 US/docs/Web/HTML/Attributes/autocomplete)

 **Discussion:**
 As the autocomplete values are stored in the browser, this may result in
 security issues when users share their computers or use a computer in a
 public place like a library.

 One way or another, we have to make a discion about adding autocomplete
 values. This ticket could serve as reference and documentation about what
 we decide.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/41136#comment:8>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform