Don't need no credit card to ride this train

[venta]

An question about web forms and security...

When filling in forms (I use FireFox), it's often possible to hit the down arrow and get a list of things you previously typed into that field. This is kind of handy, mostly, and results in me not having to type my name or email address out a lot.

Forms taking things like credit card details don't usually do this - for obvious reasons - and I assume the existence of some sort of 'nocache' attribute which the form-writer can set on the fields which contain information which should be a little more secure.

Except today I filled in an entire payment form (card number, expiry date, security code, the lot) from cached information based on me having filled the same form out on that website months ago. This strikes me as Not Good.

I intend to write to the site in question and tell them I think they're a bit rubbish... but I'd like to be sure I know what I'm talking about first. Am I right about the form attribute ? Am I totally wrong, and this is something which FireFox implements wrongly and the site itself can't be blamed for ?

Informed opinion welcome :)

Comments

[alien8.livejournal.com]

Don't send that email.

It's all in your browser. Under the preferences (I'm on a Mac so if you are on Doze it will vary.) Privacy, remember search and form history.

You're not the only one to have found this: http://support.mozilla.com/en-US/forum/1/7920

You can uncheck this - but this is sometimes rather handy.

So, try http://autofillforms.mozdev.org/ which will crypt the settings via your master password.

What? you haven't got one?

do it now : set a Master Password for your profile (Preferences, Security, Use a Master Password)

:)

[venta.livejournal.com]

It's all in your browser.

While I'm happy to accept that, that doesn't really explain why credit card forms normally *don't* cache the information, but this specific one does.

What? you haven't got one?

I haven't, no. No one uses my laptop but me, and the log-on is password protected. It's locked when I'm away from it, and thus a master password doesn't really seem to bring much to the party.

I'm curious about the autofillforms, so will experiment with it.

[venta.livejournal.com]

It's all in your browser. Under the preferences (I'm on a Mac so if you are on Doze it will vary.) Privacy, remember search and form history.

Just in case anyone else is reading this and fancies trying it, the Windows settings are:

Tools->Options->Privacy, set "Firefox will..." to "Use custom settings for history" to see the "Remember search and form history" checkbox.

Tools->Options->Security for the master password option.

[onebyone.livejournal.com]

There is no such attribute, although password controls generally shouldn't be auto-filled from a drop-down menu that displays the password, since that would break the rule that the text is rendered such as to hide the characters.

It's down to the user agent what is cached and how. I just switch it off, especially since I use different email addresses for different sites anyway.

In Firefox you can generally highlight a chunk of site and right-click > "View selection source" to see the HTML. It might be possible to use Firefox-specific and/or javascript tricks to prevent caching.

[zotz]

Yesterday another of my friends commented that this must mean Love accepts Oyster prepay.

[venta.livejournal.com]

Er.... what?

[valkyriekaren.livejournal.com]

Your subject line.

[venta.livejournal.com]

Ah. I promptly forgot about that and tried to apply zotz comments to web forms :)

[zotz]

Always a tricky process, that.

[venta.livejournal.com]

Yes, I did think you were being more than usually gnomic.

[zotz]

It was the pointy hat and fishing rod that tipped you off, wasn't it?

Somebody always notices.

[venta.livejournal.com]

No, I thought they were just sartorial statements.

Popping out of a door in amanita muscaria is a dead giveaway, though.

[bateleur.livejournal.com]

Some of the comments above are misleading.

The behaviour you want is accomplished by setting the property autocomplete = "off" on the <form> element.

[venta.livejournal.com]

Aha. Thank you. That explains why credit card forms don't usually display such things. Of course, the above suggestions sound sensible to me anyway, but it's nice to have that mystery cleared up.

[bateleur.livejournal.com]

the above suggestions sound sensible to me anyway

Well... maybe. There's always a trade-off between security and convenience. I do think it would be reasonable to contact the site and ask them to improve their form.

[alien8.livejournal.com]

..and there's nothing to stop a malicious site asking for the same data from your browser.. best not to have it in there.

IMHO Edit your saved data to pull the number.

... might not work...

[bondagewoodelf.livejournal.com]

autocomplete='off' is happily ignored by many browsers

Re: ... might not work...

[venta.livejournal.com]

That's a reason not to rely on it, it's not a reason for form-writers not to use it.

Re: ... might not work...

[undyingking.livejournal.com]

It not being valid HTML might be a reason... Not that writers of commercial web pages seem generally terribly obsessed with standards compliance.

Re: ... might not work...

[venta.livejournal.com]

Yes, I'm perfectly happy with invalidity as a reason for not using it.

[undyingking.livejournal.com]

Although it should probably be noted, for standards purists, that autocomplete is not a valid attribute for forms in either HTML 4 or XHTML 1 -- not all browsers may support it (although I think all the important ones do), and pages that include it will fail validation tests.

I believe it is to be included in HTML 5.

[bateleur.livejournal.com]

Standards purists are lovely people. They deserve a pat on the back and a piece of cake. They should not, however, be trusted to write real web pages.

I had this revelation once shortly after the Netscape "extensions" to HTML first came out. At first I thought they were evil. Then I realised it didn't matter whether they were evil or not, because individual web developers were free to use them or not as they chose and therefore they were an instant de-facto standard on account of being useful. (Whether Netscape themselves were evil for adding them in the first place is a more complex matter...)

[ar-gemlad.livejournal.com]

Netscape are definitely evil. It was them that did the blink tag, wasn't it?

[bateleur.livejournal.com]

Still not as annoying as <marquee>! Now that was a really stupid idea...

[ar-gemlad.livejournal.com]

Now I need to go for memory repression therapy again. To bury the memory...

[undyingking.livejournal.com]

That one came from IE, if I remember right. Microsoft fighting fire with fire.

[bateleur.livejournal.com]

Awesome! :-D

(Although... isn't JavaScript considered a bit web!satanic by such persons? I'm a bit out of touch.)

[undyingking.livejournal.com]

Ah yes, good old <CENTER>, how did we live without it? ;-0

I agree, I'm perfectly happy to use de facto standards myself; I figure that's between me and my users. But I can sympathize with the pained expression that some people develop when they see such things.

[leathellin.livejournal.com]

It is definitely in the draft on form and input.
HTML 5 is one of those more final than it ought to be working drafts :-)