Eligibility for autofill

[schwering]

Request for position on an emerging web specification

• WebKittens who can provide input: annevk

Information about the specification

• Title: Eligibility for autofill
• URL: Define eligibility for autofill whatwg/html#8801
• Explainer (if not README.md in the repository): https://github.com/schwering/shared-autofill

Design reviews and vendor positions

• TAG Design Review:
• Mozilla standards-positions issue: Eligibility for autofill mozilla/standards-positions#752

Bugs tracking this feature

• WebKit Bugzilla:
• Radar:

Anything else we need to know

The HTML spec currently does not clarify the necessary conditions when a user agent is allowed to autofill a group of fields. We propose a solution that defines a default grouping concept, and also allows the user agent to safely fill frame-transcending forms, which are common with payment forms.

Currently, the HTML spec mostly focuses on the autocomplete attribute. We generalize the text a little and shift the focus away from the attribute. We define "eligibility for autofill" in terms of a field's origin and a new policy-controlled feature shared-autofill.

[stephenmcgruer]

Hey folks; apologies if pinging is inappropriate, but we'd love to hear your input on this proposal, so I will ping just this once :)

[annevk]

Hey @schwering @stephenmcgruer, I'll ask. I also gave some feedback and asked some questions on the HTML PR as a start.

[annevk]

Our main feedback at this point beyond the editorial feedback already provided is that eligibility for autofill goes too far with its requirements. Autofill is a user interface feature and as such the call as to whether or not to make it work in a particular case is with the user agent and not the HTML Standard.

[schwering]

Thanks for the feedback!

I agree with the general position, but there are two issues with it.

Firstly, the standard actually already has language that requires specific behavior from the user agent:

A user agent prefilling a form control must not discriminate between form controls that are in a document tree and those that are connected; that is, it is not conforming to make the decision on whether or not to autofill based on whether the element's root is a shadow root versus a Document.

The proposed eligibility criteria merely states a necessary condition for autofill. Without it, we can't give a meaningful semantics of the policy-controlled feature shared-autofill. And shared-autofill in turn is needed for browsers to safely fill origin-transcending forms.

If we don’t standardize this, websites will have to keep implementing their own workarounds to “fill” across origins. Several payment service providers currently do this: they add invisible fields to the individual frames and post the autofilled values to the other, sometimes cross-origin frames. I think that's likely neither a win in terms of security (many individual solutions) nor usability (these workarounds can only approximate the browser's autofill behaviour; for example, they cannot preview the values before they're autofilled).

[annevk]

I'm not sure that requirement is worth keeping. Shadow trees are a mandatory part of the web platform. And not supporting them properly will lead to issues. It seems like the kind of thing we'd have written early on in the development of shadow trees to make it clear they're first-class citizens, but it doesn't really stand the test of time.

The language for shared-autofill (and autofill in general, if we overstepped elsewhere) could use may or should instead of must to make it clear user agents are allowed to do other things in the interest of end users.

[schwering]

I've replaced "must not" with "should not" in the following sentence in the spec proposal:

However, the user agent must not fill in a field if that field is not eligible for autofill.

This is intended to give the user agent the freedom to ignore eligibility for autofill if that truly is in the interest of the end user. It's intentionally vague because I suppose we can't foresee all scenarios in which the user agent might reasonably fill across origins without shared-autofill.

Alternatively, we could add a third, catch-all disjunct to the definition of eligibility for autofill. I'm not sure how to phrase such a condition in a way that's neither overly specific nor overly generic though.

[torgo]

Hi folks – We discussed this in today's TAG breakout.

We remain concerned with the level of information available to the user about what they have agreed to share with whom via auto-fill. Is it possible to advise UA providers to surface this information to the user in some way "are you OK with sharing your cc number with ecommerce site who uses payment provider as a payment provider?"

We also remain concerned about the multi-stakeholder buy in. If this is going to be adopted by the industry then we'd like to make sure it's widely adopted across browsers.

Apart from that can you let us know any other status or updates?

[annevk]

@torgo I suspect that was meant for w3ctag/design-reviews#831?

[torgo]

yikes! you're absolutely right @annevk. my bad and apologies for that. I'll leave it here as it might be relevant to your discussions, but also re-post to where it was supposed to go.