Disable autocomplete
In 1999, in the IE 5 browser, Microsoft first implemented auto-completion of text fields of forms, which allowed you not to enter the text that you have previously entered into the field with the given name (including on another site). At the same time, a non-standard extension of the <input> tag appeared: the autocomplete attribute, setting it to off allowed you to disable this functionality for a specific field. Now all popular browsers (suggested that in addition to Opera) support autocomplete and this attribute. It is also introduced in the HTML 5 standard. However, website developers often neglect it.
The most important place to use it is the field for entering a credit card number. It should be remembered that the browser remembers all values entered in this field. For example, Firefox 3.5.x does this in the formhistory.sqlite file in the user profile, where they are in clear text. Setting the master password in the Firefox password manager does not encrypt this file, and I did not find any extensions that would do it (tell me if you know such). I often use web shops and, having entered the first four digits of my card number (which, by the way, are the same for all cards of my bank) in my favorite file viewer, I found five copies of the card number under different field names: cc_number, cregit_num , CARDNUM, ctl00 $ cphBody $ txtCardNumber and cardnr. Within sight in three cases, I found the cardholder name, in two cases expiration date (often offered to choose from the drop-down list, so it is not always remembered), in four cases the CVV code. I note that not all shops need a CVV code, many of them manage to successfully buy without entering it.
This means a simple thing: a person with a keen eye will need about two minutes of access to an unlocked computer in order to drag off the number of the credit card on which they used to buy something. About expanses for trojans even nothing to say. At the same time, I don’t see a simple way to clean it all at once, without touching the other autocomplete fields: you need to search for the sqllite database editor, put an addon for managing forms (for example, Form History Control - thanks to Source ) or delete it from all relevant sites (and who remember ?) I temporarily solved the problem by creating an HTML file with this content:
Having opened it in the browser, I pressed "down" and "delete" in each field. Immediately after this, the card numbers disappeared from formhistory.sqlite.
')
If your site requests information about the card, be sure to add
This is not a security issue, but often annoying. If your site offers to enter captcha, auto-complete should be turned off, because it still does not repeat. I even saw this in Google:
If you have implemented autocomplete yourself (for example, with loading options via Ajax), then do not forget to turn off the browser. Usually they do not forget, but I came across this, for example, on the Wikiled site:
The top option is offered by the browser, and the bottom ones by the auto-complete mechanism of the site itself (also some kind of hint about the on-screen keyboard got into). As a result, using site autofilling is very difficult, especially from the keyboard, as the arrows intercept the browser.
In general, the moral: for each text field that you create, on the machine, estimate whether the user will benefit from autocomplete in this field. If not, disconnect. By the way, by default, autocomplete can be disabled for the entire form using
Upd: To validate the W3C XHTML document, you can extend the DTD, for example:
Credit cards
The most important place to use it is the field for entering a credit card number. It should be remembered that the browser remembers all values entered in this field. For example, Firefox 3.5.x does this in the formhistory.sqlite file in the user profile, where they are in clear text. Setting the master password in the Firefox password manager does not encrypt this file, and I did not find any extensions that would do it (tell me if you know such). I often use web shops and, having entered the first four digits of my card number (which, by the way, are the same for all cards of my bank) in my favorite file viewer, I found five copies of the card number under different field names: cc_number, cregit_num , CARDNUM, ctl00 $ cphBody $ txtCardNumber and cardnr. Within sight in three cases, I found the cardholder name, in two cases expiration date (often offered to choose from the drop-down list, so it is not always remembered), in four cases the CVV code. I note that not all shops need a CVV code, many of them manage to successfully buy without entering it.
This means a simple thing: a person with a keen eye will need about two minutes of access to an unlocked computer in order to drag off the number of the credit card on which they used to buy something. About expanses for trojans even nothing to say. At the same time, I don’t see a simple way to clean it all at once, without touching the other autocomplete fields: you need to search for the sqllite database editor, put an addon for managing forms (for example, Form History Control - thanks to Source ) or delete it from all relevant sites (and who remember ?) I temporarily solved the problem by creating an HTML file with this content:
<input type="text" name="cc_number">
<input type="text" name="cregit_num">
<input type="text" name="CARDNUM">
<input type="text" name="ctl00$cphBody$txtCardNumber">
<input type="text" name="cardnr">
Having opened it in the browser, I pressed "down" and "delete" in each field. Immediately after this, the card numbers disappeared from formhistory.sqlite.
')
If your site requests information about the card, be sure to add
autocomplete="off" in the input field of the number, card holder and cvv-code. It would be great to see support from the browsers. For example, an extension for Firefox that allows you to selectively save text in accordance with a regular expression. For a card number, everything is simple: 16 digits in a row - do not save. I don’t remember that I entered some more 16-digit numbers that I would like to remember in autocomplete. Encrypting auto-complete data using a master password would also be appropriate.Captcha
This is not a security issue, but often annoying. If your site offers to enter captcha, auto-complete should be turned off, because it still does not repeat. I even saw this in Google:
Own autofill
If you have implemented autocomplete yourself (for example, with loading options via Ajax), then do not forget to turn off the browser. Usually they do not forget, but I came across this, for example, on the Wikiled site:
The top option is offered by the browser, and the bottom ones by the auto-complete mechanism of the site itself (also some kind of hint about the on-screen keyboard got into). As a result, using site autofilling is very difficult, especially from the keyboard, as the arrows intercept the browser.
In general, the moral: for each text field that you create, on the machine, estimate whether the user will benefit from autocomplete in this field. If not, disconnect. By the way, by default, autocomplete can be disabled for the entire form using
<form autocomplete="off"> and then, if necessary, enabled for individual fields.Upd: To validate the W3C XHTML document, you can extend the DTD, for example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd" [
<!ATTLIST input autocomplete CDATA #IMPLIED>
]>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head><title/></head>
<body>
<div><input type="text" autocomplete="off" name="test"/></div>
</body>
</html>Source: https://habr.com/ru/post/80341/
All Articles