[wp-trac] [WordPress Trac] #41136: Login forms lacking autocomplete attributes

WordPress Trac noreply at wordpress.org
Mon Mar 28 00:00:12 UTC 2022

#41136: Login forms lacking autocomplete attributes
 Reporter:  johnjamesjacoby   |       Owner:  joedolson
     Type:  defect (bug)      |      Status:  accepted
 Priority:  normal            |   Milestone:  6.0
Component:  Login and         |     Version:
  Registration                |
 Severity:  normal            |  Resolution:
 Keywords:  needs-patch       |     Focuses:  accessibility, administration

Comment (by peterwilsoncc):

 Replying to [comment:12 joedolson]:
 > One thing I think this will need is to provide a filter so that
 autocomplete can be disabled; sites with higher security needs might need
 an easy way to disable this feature.

 According to caniuse, browsers ignore `off` for the following fields

 * Chrome, Edge: intentionally ignores `autocomplete="off"` when the user
 uses the browser's autofill functionality.
 * Firefox: ignores `autocomplete="off"` for login forms
 * Safari: ignores the `off` value for username, email and password fields

 It's also worth noting that since [comment:3 comment#3] several years ago,
 support for autocomplete has become universal with the exceptions noted

 > Overall, however, I think this is more of a benefit than a potential for
 harm. Would benefit from some additional voices on the security side,

 From a security perspective, I think it's fine to include the autocomplete
 values. I don't think adding filters is necessary given the browser
 manufacturers' decisions documented above.

Ticket URL: <https://core.trac.wordpress.org/ticket/41136#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list