How to Turn Off Form Autocompletion
Like most modern browsers, Netscape Gecko ™-based browsers (e.g. Netscape 7 & Mozilla browsers) can be configured to remember the information the user fills in for form and password fields on web sites. This feature is called Form and Password Autocompletion in Netscape Gecko browsers. The feature is known in other browsers by names such as "Form Pre-filling" and "Wallet". Netscape Gecko-based browsers have had this feature since Mozilla Milestone M18, or Netscape 6.0. The autocompletion feature for form and password fields are by default turned on but can be turned off by end users via the preference settings in the respective control panel for Form and Password Manager:
For forms, go to Edit > Preferences > Privacy & Security > Forms and uncheck the option to save form data when entering forms.
For passwords, go to Edit > Preferences > Privacy & Security > Passwords and uncheck the option to remember passwords. Note that passwords can be stored in an encrypted format.
Note that on Mac OS X Netscape 7x browsers, the Preferences menu item can be found under the Netscape menu item.
Form & Password Managers also allow the user to manage stored form and password information.
Both the Form Manager and the Password Manager feature raise dialog boxes prompting users whether or not they want the form field information to be stored. The autocompletion feature is convenient for users and the large majority seem to prefer to have this feature turned ON. The Gecko preference default reflects this fact. Security and privacy related preferences ultimately belong to the user and for this reason most web sites, including web mail and many sites with commercial transactions, honor the user preference for this feature. However, some web sites for security reasons need to turn the feature off. This is typically true for banks and financial institutions where transactions are considered extremely sensitive.
The feature can be turned off of course by instructing the user to uncheck the option in Form and Password Managers, but this involves an action on the user's part and the desired result may not always be obtained.
This technote shows how web sites can turn off this autocompletion feature for a particular web page -- even if the user has autocompletion turned on in the browser preference settings.
Three Aspects of Autocompletion
Form Manager prompt—whether or not the user is presented with a dialog to allow the browser to store form field information. If a dialog box is presented, the user has to consciously decline in order to avoid storing the information.
Password Manager prompt—whether or not the user is presented with a dialog to allow the browser to store password field information. If a dialog box is presented, the user has to consciously decline in order to avoid storing the information.
Session history caching—whether or not the browser should store form data in session history for subsequent retrieval. When form data is cached in session history, the information the user has filled in will be visible after the user has submitted the form and clicked on the Back button to go back to the original form page.
Password fields are like other form fields, but Gecko browsers provide an option to store the info in them in an encrypted file format on disk. Because of the sensitivity of passwords, there is a dedicated Password Manager for these types of form fields, whereas Form Manager handles other non-password storage of form data.
Typically, turning off autocompletion involves suppressing both the Form Manager and Password Manager dialog boxes, as well as ensuring that form information is not stored in session history for future retrievals.
How to Turn Off the Autocompletion Feature
The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the
autocomplete form element attribute with value "off":
autocomplete = "off"
For example, a typical form element line with autocompletion turned off might look like the following:
<form name="myForm" id="form1" METHOD="Post" autocomplete="off" ACTION="http://www.mysite.com/form.cgi"> ... ... </form>
Applicable browser versions: Netscape 6.2 (Mozilla 0.9.4) or later. IE 5 or later. For IE autocomplete info, see the relevant MSDN entry.
This form attribute is not part of any web standards but was first introduced in Microsoft's Internet Explorer 5. Netscape introduced it in version 6.2 -- in prior versions, this attribute is ignored.
Exceptions in Netscape 6.2 and Later, and Recommended Workarounds
For Netscape Gecko browsers such as Netscape 6.2 and later, the
autocomplete attribute works perfectly. With
autocomplete="off", the Password Manager prompt is turned off and information is not stored in session history for future retrievals. The only exception to the use of the
is in the Form Manager prompt under the following special conditions:
The form element contains at least two key words "Address" and "Name" or their variants. There may be other combinations of typical form words but these two together trigger the Form Manager prompt without fail. If only one of the two key words is present, e.g. "Address", with other words such as "Phone", "Fax", "Home", or "ZIP", the prompt does not occur. Note that variants of key words such as "Name1", "Address2" will also trigger the prompt.
More specifically, the two key words "Name" and "Address" must be contained either within the form as descriptions of input fields or as values for the
nameattribute of the
inputfield. Attributes such as
iddo not have this effect. Typical HTML snippets that trigger the Form Manager dialog follow, and are illustrative of the types of markup which will trigger Form Manager to prompt users to store the form fields.
Keywords used to describe input fields:
<form name="myForm" id="form" METHOD="Post" autocomplete="off" ACTION="script.cgi"> Name: <input type="TEXT" name="text1"> </input><br/> Address: <input type="TEXT" name="text2"></input><br/> Phone: <input type="TEXT" name="text3"></input><br/> Password: <input type="password" name="password"></input><br/> <input TYPE="Submit" Name="Submit" Value="SubmitThis"></input> </form>
The above snippet uses the keywords Name and Address to describe to the end user the type of data that the field solicits. Another way that Form Manager will be activated to prompt the user to store the form data is if the
nameattribute for the form
inputfields is one of the keywords, such as in the snippet below.
Keywords used as the value for the name attribute:
<form name="myForm" id="form" METHOD="Post" autocomplete="off" ACTION="script.cgi"> <input type="TEXT" name="name"></input><br/> <input type="TEXT" name="address"></input><br/> <input type="TEXT" name="text3"></input><br/> <input type="password" name="password"></input><br/> <input TYPE="Submit" Name="Submit" Value="SubmitThis"></input> </form>
In the cases above, the autocomplete feature is triggered and an attempt is made to store common form entries such as "name" and "address" in spite of the presence of the
autocomplete attribute. In this case, the
autocomplete attribute has no effect. However, a workaround would be to:
Not use the strings "name" and "address" as the values for the names of any of the form input fields.
Split the characters in words "Name" and "Address" with the
spanelement, as the example below shows.
<form name="myForm" id="form" METHOD="Post" autocomplete="off" ACTION="script.cgi"> <span>N</span>ame: <input type="TEXT" name="text1"> </input><br/> <span>A</span>ddress: <input type="TEXT" name="text2"></input><br/> ... ... ... </form>
The trick is to enclose part of the words "Name" and "Address" in the
span element. A Mozilla browser bug requests that Form Manager be turned off completely when the
autocomplete="off" attribute is present. When this bug is fixed, there would be no need to use this workaround.
This particular sensitivity to the keywords "Name" and "Address" (case insensitive) is limited to these spellings and their variants in English, and possibly in other languages where the spellings are similar. Although we don't usually find these keywords being used in describing form fields in languages other than English, we find them sometimes as the
name attribute values in many different languages. This latter is usually what prevents the
autocomplete attribute from working as intended.
Web sites can take advantage of the non-standard but effective and widely used form element attribute
autocomplete="off" to turn off both Form and Password Manager prompts as well as not allowing form data from being cached in session history
to avoid inadvertent display of form info when the Back button is clicked. Web sites wishing to prevent Form Manager prompts need to avoid the use of the two key words "Name" and "Address" (and any lexical variants such as "Name1") in form field descriptions and avoid use of these keywords as the values of the
name attribute of input fields.