Gaping Browsers Flaws (or "features")

JGalt

Hey all, I'm new here & this is my 1st post. I'm a Web developer amongst other things.
This is both a Browser security issue and also a big pain for Web developers.
Cross browser support has always been a huge time waster for developers. On top of that, there are new browsers coming out, and new versions (the notorious IE8).

Now this - we have to worry about the integrity of the Browsers themselves.
I read a while ago about Chrome falling at about the bottom of the ratings for Browser security. Then yesterday I read this, which was a relief since it confirmed (sort of) that I was not delusional or getting too little sleep.

I noticed about a month or so ago that one of my published web apps started acting goofy (form with password/confirm password fields- real exotic and unusual, right?). I won't name names, but there are Firefox addons that get out of hand. I did install the addon myself, assuming it would be about as generically good/bad as Google Autofill. If it's on the Mozilla site you would think it's reasonable to assume it works pretty well and maybe even was tested.

Anyway, when my app started misbehaving I thought for sure I had screwed something up somehow and spent hours testing, adding alerts, etc, testing in Chrome, Opera, Flock, Firefox & IE. I finally saw that the browser was overwriting the password field even using autocomplete=off and randomly generated field names (and no, the field id/name was not "password"). No matter what I tried, the browser (actually the popular addon) would overwrite the password field, whether it had a value or not.

I had to put in a lock/unlock field workaround - there's no point in complaining about the flaw and waiting 3-6 months for them to admit a problem and then actually fix it.

I didn't test what happens using SSL or Credit Card numbers.
You can test whatever browser(s) you use here and other places.

Hopefully autocomplete will become somewhat standardized (sooner the better), or something like OpenID will be adopted or at least supported by all browsers. Or at least be able to understand that "autocomplete=off" == "Do not fill in this field and I really mean it". In the meantime, us Web developers are going to have to deal with semi-random Browser output as best as we can.

I'll save my rant about IE 8 for some other time.

bakuryu

As you mentioned, it's not the browser that is ignoring the web standards, but the addon. And the user must have installed the addon with his/her consent. The addon was designed in that way to help users automatically fill up forms irrespective of the autocomplete tag.

And besides you cannot have a control on which users install which addons. For cross browser compatibility you need to test your application with the default browser as it comes. The addons do not come pre-installed with Firefox. There's no point in cracking heads to find workarounds in these cases, since i can bypass the workaround you mentioned with the FireBug addon installed.

__________________
Please don't click here

JGalt

If it's a web development addon, of course all bets are off. But it's not unreasonable to expect an addon to behave somewhat in line with the standards & overall Browser's mode of operation. And most importantly be compliant with W3C autofill suggestions (Web Forms 2.0 note the specific mention of Banks) although I don't think it's an official W3C standard yet. And of course, W3C standards overall.
If it sees autocomplete=off, it should at least be polite enough to ask if you want the field(s) stomped on.
I definitely agree that we SHOULD be able to just pass our code through the W3C validator and that's it. But then I thought perhaps at least hundreds of thousands of users might have the addon installed. So I sissied out & put in the workaround.
Even if my development app(s) compatibility check says all is okey-dokey and so does W3C, I still test in all of the major browsers, since you can depend on at least one or more of them to probably not do what you're telling them to, and it's always hard to say how MSIE and its own pseudo-standards are going to do.
Anyway, I've beaten this in the ground anough.
Final opinion: if the Browser is compliant/adequately secure but the addons (normal user-oriented ones) that it posts on their site are not, it just compromises the integrity of the browser. And pisses off Web developers.

bakuryu

The objective for the development of the autofill addons is to autofill forms without much user interaction. And I don't think it is going to follow W3C standards. The browsers should follow W3C standards in autofill not the addon. If the addon also does what the browser automatically fills in the forms then there's no point in developing the addon.

And Internet Explorer always has it's own standards, it's a real pain to get IE6 compatibility in most cases, especially in CSS rendering !!!!

JGalt

Yes, just as you can have a secure Operating System and install applications that have no awareness of or do not use the Native OS security.
Skins that make your Browser look like a Mac or the Girls Next Door toolbar are ok, but I don't think it's a real good idea for any Browser to post insecure addons & plugins on its own site.

bakuryu

I don't think autofill addons are insecure. The username/passwords are still stored via the browser's password manager which is quite secure. They might not follow some web standards but you can't call them insecure addons that put users at risk or stolen passwords.