55
edits
The autocomplete attribute and web documents using XHTML: Difference between revisions
The autocomplete attribute and web documents using XHTML (view source)
Revision as of 18:02, 5 August 2006
, 5 August 2006→Possible solutions
| Line 79: | Line 79: | ||
(As a sidenote, if we went down the namespaced route, we might like to create a more general http://www.legacymarkup.org/xmlns/legacyml namespace as a retirement home for all sorts of legacy markup that the W3C would, admirably but somewhat impractically, ignore.) | (As a sidenote, if we went down the namespaced route, we might like to create a more general http://www.legacymarkup.org/xmlns/legacyml namespace as a retirement home for all sorts of legacy markup that the W3C would, admirably but somewhat impractically, ignore.) | ||
== Appendix: Autocomplete alternatives == | |||
Some readers may be interested in what else is possible with present technology and markup. | |||
=== Security === | |||
1. You could try educating your users in the dangers of public and unsecured machines, and in how to use their browser's autocompletion functionality selectively. Unfortunately, your users are unlikely to have the same interest in the subject that you have -- until their identity is compromised. At which they'll be more interested -- and angry, very angry. And even if they're interested, the majority of internet users are a poor match for more technically sophisticated crooks. | |||
2. Instead of an <code>autocomplete</code> attribute, consider using a [http://en.wikipedia.org/wiki/Nonce nonce (Wikipedia)]. | |||
Let's say you have a field like: | |||
<blockquote><pre> | |||
<input type="text" name="my_sensitive_data" autocomplete="off" /> | |||
</pre></blockquote> | |||
You could replace that with: | |||
<blockquote><pre> | |||
<input type="hidden" name="my_nonce" value="dLafr5aCo0pH7eyo" /> | |||
<input type="text" name="dLafr5aCo0pH7eyo" /> | |||
</pre></blockquote> | |||
Here "dLafr5aCo0pH7eyo" is a value generated randomly server-side for each request of the form. On submission, the server simply reads the value of the field named "dLafr5aCo0pH7eyo" into "my_sensitive_data". While form data will be remembered by the browser, it will never be used for autocompletion because the name of the relevant field is different each time. This method has the advantage of being fully compatible with the W3C's HTML and XHTML specification and it does protect the user from their sensitive data simply appearing in fields when someone else uses their computer. However, it obviously offers no protection against someone able to read their stored personal data. | |||
3. Consider offering your users them a hardware device, itself accessed using a code, which will generate one-shot passwords, such as [http://www.securecomputing.com/index.cfm?skey=21 SafeWord]. Some banks do use this, but be aware that some potential clients will run a mile at the thought having to keep track of yet another gadget. | |||
=== JavaScript autocompletion === | |||
The nonce method described above is a good candidate here. | |||
Although Google Suggest does use the <code>autocomplete</code> attribute, there are Ajax libraries that achieve similar effects without it. | |||