Netscape DevEdge

Skip to: [content] [navigation]

How to Turn Off Form Autocompletion

Introduction

Like most modern browsers, Netscape Gecko ™-based browsers (e.g. Netscape 7 & Mozilla browsers) can be configured to remember the information the user fills in for form and password fields on web sites. This feature is called Form and Password Autocompletion in Netscape Gecko browsers. The feature is known in other browsers by names such as "Form Pre-filling" and "Wallet". Netscape Gecko-based browsers have had this feature since Mozilla Milestone M18, or Netscape 6.0. The autocompletion feature for form and password fields are by default turned on but can be turned off by end users via the preference settings in the respective control panel for Form and Password Manager:

Note that on Mac OS X Netscape 7x browsers, the Preferences menu item can be found under the Netscape menu item.

Form & Password Managers also allow the user to manage stored form and password information.

Both the Form Manager and the Password Manager feature raise dialog boxes prompting users whether or not they want the form field information to be stored. The autocompletion feature is convenient for users and the large majority seem to prefer to have this feature turned ON. The Gecko preference default reflects this fact. Security and privacy related preferences ultimately belong to the user and for this reason most web sites, including web mail and many sites with commercial transactions, honor the user preference for this feature. However, some web sites for security reasons need to turn the feature off. This is typically true for banks and financial institutions where transactions are considered extremely sensitive.

The feature can be turned off of course by instructing the user to uncheck the option in Form and Password Managers, but this involves an action on the user's part and the desired result may not always be obtained.

This technote shows how web sites can turn off this autocompletion feature for a particular web page -- even if the user has autocompletion turned on in the browser preference settings.

Three Aspects of Autocompletion

For this discussion, it is useful to consider 3 major aspects of autocompletion in Netscape Gecko browsers, and the important aspects for consideration in terms of user experience.

Password fields are like other form fields, but Gecko browsers provide an option to store the info in them in an encrypted file format on disk. Because of the sensitivity of passwords, there is a dedicated Password Manager for these types of form fields, whereas Form Manager handles other non-password storage of form data.

Typically, turning off autocompletion involves suppressing both the Form Manager and Password Manager dialog boxes, as well as ensuring that form information is not stored in session history for future retrievals.

How to Turn Off the Autocompletion Feature

The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value "off":

autocomplete = "off"

For example, a typical form element line with autocompletion turned off might look like the following:

<form name="myForm" id="form1" METHOD="Post" autocomplete="off" 
   ACTION="http://www.mysite.com/form.cgi">
...
...
</form>

Applicable browser versions: Netscape 6.2 (Mozilla 0.9.4) or later. IE 5 or later. For IE autocomplete info, see the relevant MSDN entry.

This form attribute is not part of any web standards but was first introduced in Microsoft's Internet Explorer 5. Netscape introduced it in version 6.2 -- in prior versions, this attribute is ignored.

Exceptions in Netscape 6.2 and Later, and Recommended Workarounds

For Netscape Gecko browsers such as Netscape 6.2 and later, the autocomplete attribute works perfectly. With autocomplete="off", the Password Manager prompt is turned off and information is not stored in session history for future retrievals. The only exception to the use of the autocomplete="off" attribute is in the Form Manager prompt under the following special conditions:

Keywords used to describe input fields:

<form name="myForm" id="form" METHOD="Post" autocomplete="off" 
   ACTION="script.cgi">
Name: <input type="TEXT"  name="text1"> </input><br/>
Address: <input type="TEXT"  name="text2"></input><br/>
Phone: <input type="TEXT"  name="text3"></input><br/>
Password: <input type="password" name="password"></input><br/>
<input TYPE="Submit" Name="Submit" Value="SubmitThis"></input>
</form>

The above snippet uses the keywords Name and Address to describe to the end user the type of data that the field solicits. Another way that Form Manager will be activated to prompt the user to store the form data is if the name attribute for the form input fields is one of the keywords, such as in the snippet below.

Keywords used as the value for the name attribute:

<form name="myForm" id="form" METHOD="Post" autocomplete="off" 
   ACTION="script.cgi">
<input type="TEXT"  name="name"></input><br/>
<input type="TEXT"  name="address"></input><br/>
<input type="TEXT"  name="text3"></input><br/>
<input type="password" name="password"></input><br/>
<input TYPE="Submit" Name="Submit" Value="SubmitThis"></input>
</form>

In the cases above, the autocomplete feature is triggered and an attempt is made to store common form entries such as "name" and "address" in spite of the presence of the autocomplete attribute. In this case, the autocomplete attribute has no effect. However, a workaround would be to:

<form name="myForm" id="form" METHOD="Post" autocomplete="off" 
   ACTION="script.cgi">
<span>N</span>ame: <input type="TEXT"  name="text1"> </input><br/>
<span>A</span>ddress: <input type="TEXT"  name="text2"></input><br/>
...
...
...
</form>

The trick is to enclose part of the words "Name" and "Address" in the span element. A Mozilla browser bug requests that Form Manager be turned off completely when the autocomplete="off" attribute is present. When this bug is fixed, there would be no need to use this workaround.

This particular sensitivity to the keywords "Name" and "Address" (case insensitive) is limited to these spellings and their variants in English, and possibly in other languages where the spellings are similar. Although we don't usually find these keywords being used in describing form fields in languages other than English, we find them sometimes as the name attribute values in many different languages. This latter is usually what prevents the autocomplete attribute from working as intended.

Recommendation

Web sites can take advantage of the non-standard but effective and widely used form element attribute autocomplete="off" to turn off both Form and Password Manager prompts as well as not allowing form data from being cached in session history to avoid inadvertent display of form info when the Back button is clicked. Web sites wishing to prevent Form Manager prompts need to avoid the use of the two key words "Name" and "Address" (and any lexical variants such as "Name1") in form field descriptions and avoid use of these keywords as the values of the name attribute of input fields.

A+R