MailWatch
MailWatch copied to clipboard
Safari/Chrome bug with autocomplete="off" in form in user_manager.php
In most place where we have autocomplete="off" in form code, it doesn't work.
In New User and Edit User form, I added autocomplete="off" and this doesn't work too.
This is especially annoying for the Edit User form or from time to time, the fields are automatically replaced by bad value.
autocomplete=off is largely ignored in modern browsers - primarily due to password managers etc.
You can try adding this autocomplete="new-password"
it's not fully supported by all browsers, but it works on some
I already tried new-password. Doesn't work. Seems that we need to use a javascript solution.
The only place where autocomplete is Ok is the login form... ;)
Found this. https://scotsscripts.com/blog/html-css-trick-how-to-turn-off-auto-complete.html
I have tried this and it works (tested with Safari, Firefox and Chrome).
Mod line 375 in user_manager.php:
echo '</table></form><script>$(\'form\').attr(\'autocomplete\',\'off\');</script><br>'."\n";
We can do this for all the others </form>
in the script.
I have also read that Safari searches for words like Email and Password in a form and enables autocomplete.
I don't know how this is supposed to work, as $('form') is a jquery syntax, which is not included in MailWatch 1.2 (and will not be included in 1.2).
Works with the following for me at line 81 in the user_manager.php (Tested with Firefox, Chrome, IE, Edge). No JavaScript needed.
echo "<FORM METHOD=\"GET\" ACTION=\"user_manager.php\" AUTOCOMPLETE=\"OFF\">\n";
That would be for all input field of the form but it also works for single fields
Updated user_manager.php from PR #418
Problem is back with Safari OSX. Will look at this later.
When we edit users, the "Username" is replaced by another value (yellow box). Do this will all users defined in MailWatch.
Line is 193 in user_manager.php.
I tried many things: specific id, autocomplete off, replace username with fake_username, javascript, nothing works.
Only this work... But we can no longer see the value.
echo " <TR><TD CLASS=\"heading\">" . __('username0212') . "</TD><TD><INPUT TYPE=\"TEXT\" NAME=\"username\" VALUE=\"" . $row->username . "\" style=\"display:none\"></TD></TR>\n";
If someone have a solution.
I tried to replace with "disabled" but now, the Name (fullname) field is autocompleted...
echo " <TR><TD CLASS=\"heading\">" . __('username0212') . "</TD><TD><INPUT TYPE=\"TEXT\" NAME=\"username\" VALUE=\"" . $row->username . "\" disabled></TD></TR>\n";
Also tried with "readonly".
Crazy story.
Seems to be a bug of Safari http://stackoverflow.com/questions/22661977/disabling-safari-autofill-on-usernames-and-passwords
Does it help to rename the field to username1 or so?
Have you tries the fix of dsuess at the link above?
I also tried to change NAME="username-xyz".
Don't works.
Found this:
The REAL problem here is that Webkit (Safari, Chrome, ...) has a bug. When there's more than one [form] on the page, each with an [input type="text" name="foo" ...] (i.e. with the same value for the attribute 'name'), then when the user returns to the page the autofill will be done in the input field of the FIRST [form] on the page, not in the [form] that was sent. The second time, the NEXT [form] will be autofilled, and so on. Only [form] with an input text field with the SAME name will be affected.
After have tried all solution found on Google, none solution works. The only one working is to replace in form type="password" by type="text". If we don't have type password, not autocomplete at all. But I need to find a solution to "simulate" "*******" when we type a password in the password field.
if that is the only solution i suggest that we just ignore this bug because it is a realy bad practise to use text for passwords
Look at my solution with a dedicated font... ;-)
Not sure if we should do such a hacky solution just to fix a problem which is caused by a defect implementation in a browser
The problem is in Firefox and Chrome. Ok with Firefox.
For me it works with the autocomplete=off in chrome on windows. Which version of the autocomple=off did you used? The one for the complete form or the single input fields?
I tried only on Macintosh (OS X 10.12.2). autocomplete="off" tried in form or/and input. I tried all the example with css, id, name, js found on Google. None works.
Tested on Safari, Chrome and Firefox on Macintosh OSX. Tested on Microsoft Edge and Chrome on Windows 10.
I tested on some new installations of browser of osx and I can replicate this behavior only if I agree to store password inside browser (I don't do this on my browsers so I've never encountered this "feature"). Seems like browser will do what hey want with username and password fields as stated on Mozilla developer website (https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion).
On the bottom of that webpage there are a couple of suggestions:
- use
autocomplete="new-password"
on password fields used for user registration, like add user form - use
autocomplete="nope"
to trick the browser on an invalid value forautocomplete
attribute so that it gives up
Hi Michael!
autocomplete="new-password" autocomplete="nope"
Tested. Doesn't work.
for me this works in Firefox, Chrome, IE and Edge on Windows 10. Not sure about Safari or OSX cause I'm not using them. https://github.com/Skywalker-11/1.2.0/commit/06d6016736ff194e48a19d6502b5f2ce45991044
EDIT: sorry does not work I had a plugin that has been automatically installed which somehow disabled the autocomplete
Have you tested this on a clean browser? If you agreed to the browser request to save password it will ignore any attempt to not save passwords...
As well, the problem encountered only if we "store" the password in the browser. This is what I've done... I'm a fake. ;)
can you try https://github.com/Skywalker-11/1.2.0/commit/0c9196ac8c920c32cfc4bac4c97aea1ca074dcf0
This will reset the form 120ms after page load and so should clear the input fields
Sadly, doesn't work!
I downloaded user_manager.php and functions.php from your branch. Ok?
If I remember, I tried yesterday a script with a system of refresh/reset as yours. Was not working too.
if you are on the page and hit the reset button does that clear the input fields? If yes you can try to set the timeout in line 474 to a higher value than 120