Don't need no credit card to ride this train

Jun. 8th, 2010 11:20 am
venta: (Default)
[personal profile] venta
An question about web forms and security...

When filling in forms (I use FireFox), it's often possible to hit the down arrow and get a list of things you previously typed into that field. This is kind of handy, mostly, and results in me not having to type my name or email address out a lot.

Forms taking things like credit card details don't usually do this - for obvious reasons - and I assume the existence of some sort of 'nocache' attribute which the form-writer can set on the fields which contain information which should be a little more secure.

Except today I filled in an entire payment form (card number, expiry date, security code, the lot) from cached information based on me having filled the same form out on that website months ago. This strikes me as Not Good.

I intend to write to the site in question and tell them I think they're a bit rubbish... but I'd like to be sure I know what I'm talking about first. Am I right about the form attribute ? Am I totally wrong, and this is something which FireFox implements wrongly and the site itself can't be blamed for ?

Informed opinion welcome :)
  • Current Music: The Indelicates - Songs for Swinging Lovers
Tags:
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Date: 2010-06-08 10:45 am (UTC)
From: [identity profile] bateleur.livejournal.com
Some of the comments above are misleading.

The behaviour you want is accomplished by setting the property autocomplete = "off" on the <form> element.

Date: 2010-06-08 10:47 am (UTC)
From: [identity profile] venta.livejournal.com
Aha. Thank you. That explains why credit card forms don't usually display such things. Of course, the above suggestions sound sensible to me anyway, but it's nice to have that mystery cleared up.

Date: 2010-06-08 10:49 am (UTC)
From: [identity profile] bateleur.livejournal.com
the above suggestions sound sensible to me anyway

Well... maybe. There's always a trade-off between security and convenience. I do think it would be reasonable to contact the site and ask them to improve their form.

Date: 2010-06-08 12:40 pm (UTC)
From: [identity profile] alien8.livejournal.com
..and there's nothing to stop a malicious site asking for the same data from your browser.. best not to have it in there.

IMHO Edit your saved data to pull the number.

... might not work...

Date: 2010-06-08 10:54 am (UTC)
ext_5939: (horrible)
From: [identity profile] bondagewoodelf.livejournal.com
autocomplete='off' is happily ignored by many browsers

Re: ... might not work...

Date: 2010-06-08 10:56 am (UTC)
From: [identity profile] venta.livejournal.com
That's a reason not to rely on it, it's not a reason for form-writers not to use it.

Re: ... might not work...

Date: 2010-06-08 11:00 am (UTC)
From: [identity profile] undyingking.livejournal.com
It not being valid HTML might be a reason... Not that writers of commercial web pages seem generally terribly obsessed with standards compliance.

Re: ... might not work...

Date: 2010-06-08 11:03 am (UTC)
From: [identity profile] venta.livejournal.com
Yes, I'm perfectly happy with invalidity as a reason for not using it.
Edited Date: 2010-06-08 11:03 am (UTC)

Date: 2010-06-08 10:57 am (UTC)
From: [identity profile] undyingking.livejournal.com
Although it should probably be noted, for standards purists, that autocomplete is not a valid attribute for forms in either HTML 4 or XHTML 1 -- not all browsers may support it (although I think all the important ones do), and pages that include it will fail validation tests.

I believe it is to be included in HTML 5.

Date: 2010-06-08 11:04 am (UTC)
From: [identity profile] bateleur.livejournal.com
Standards purists are lovely people. They deserve a pat on the back and a piece of cake. They should not, however, be trusted to write real web pages.

I had this revelation once shortly after the Netscape "extensions" to HTML first came out. At first I thought they were evil. Then I realised it didn't matter whether they were evil or not, because individual web developers were free to use them or not as they chose and therefore they were an instant de-facto standard on account of being useful. (Whether Netscape themselves were evil for adding them in the first place is a more complex matter...)

Date: 2010-06-08 11:10 am (UTC)
From: [identity profile] ar-gemlad.livejournal.com
Netscape are definitely evil. It was them that did the blink tag, wasn't it?

Date: 2010-06-08 11:13 am (UTC)
From: [identity profile] bateleur.livejournal.com
Still not as annoying as <marquee>! Now that was a really stupid idea...

Date: 2010-06-08 11:14 am (UTC)
From: [identity profile] ar-gemlad.livejournal.com
Now I need to go for memory repression therapy again. To bury the memory...

Date: 2010-06-08 11:15 am (UTC)
From: [identity profile] undyingking.livejournal.com
That one came from IE, if I remember right. Microsoft fighting fire with fire.
(deleted comment)

Date: 2010-06-08 11:15 am (UTC)
From: [identity profile] bateleur.livejournal.com
Awesome! :-D

(Although... isn't JavaScript considered a bit web!satanic by such persons? I'm a bit out of touch.)

Date: 2010-06-08 11:13 am (UTC)
From: [identity profile] undyingking.livejournal.com
Ah yes, good old <CENTER>, how did we live without it? ;-0

I agree, I'm perfectly happy to use de facto standards myself; I figure that's between me and my users. But I can sympathize with the pained expression that some people develop when they see such things.

Date: 2010-06-08 11:07 am (UTC)
From: [identity profile] leathellin.livejournal.com
It is definitely in the draft on form and input.
HTML 5 is one of those more final than it ought to be working drafts :-)
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

venta: (Default)
venta

December 2025

S M T W T F S
 123456
78910111213
14151617181920
212223 24252627
28293031   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Dec. 27th, 2025 09:04 pm
Powered by Dreamwidth Studios