Chrome ignores autocomplete=“off”

Question

I\'ve created a web application which uses a tagbox drop down. This works great in all browsers except Chrome browser (Version 21.0.1180.89).

Despite both the

Answer 1

As of Chrome 42, none of the solutions/hacks in this thread (as of 2015-05-21T12:50:23+00:00) work for disabling autocomplete for an individual field or the entire form.

EDIT: I've found that you actually only need to insert one dummy email field into your form (you can hide it with display: none) before the other fields to prevent autocompleting. I presume that chrome stores some sort of form signature with each autocompleted field and including another email field corrupts this signature and prevents autocompleting.

<form action="/login" method="post">
    <input type="email" name="fake_email" style="display:none" aria-hidden="true">
    <input type="email" name="email">
    <input type="password" name="password">
    <input type="submit">
</form>

The good news is that since the "form signature" is corrupted by this, none of the fields are autocompleted, so no JS is needed to clear the fake fields before submission.

Old Answer:

The only thing I've found to be still viable is to insert two dummy fields of type email and password before the real fields. You can set them to display: none to hide them away (it isn't smart enough to ignore those fields):

<form action="/login" method="post">
    <input type="email" name="fake_email" style="display:none" aria-hidden="true">
    <input type="password" name="fake_password" style="display:none" aria-hidden="true">
    <input type="email" name="email">
    <input type="password" name="password">
    <input type="submit">
</form>

Unfortunately, the fields must be within your form (otherwise both sets of inputs are autofilled). So, for the fake fields to be truly ignored you'll need some JS to run on form submit to clear them:

form.addEventListener('submit', function() {
    form.elements['fake_email'].value = '';
    form.elements['fake_password'].value = '';
});

---

Notice from above that clearing the value with Javascript works to override the autocomplete. So if loosing the proper behavior with JS disabled is acceptable, you can simplify all of this with a JS autocomplete "polyfill" for Chrome:

(function(document) {

    function polyfillAutocomplete(nodes) {

        for(var i = 0, length = nodes.length; i < length; i++) {

            if(nodes[i].getAttribute('autocomplete') === 'off') {

                nodes[i].value = '';
            }
        }
    }

    setTimeout(function() {

        polyfillAutocomplete(document.getElementsByTagName('input'));
        polyfillAutocomplete(document.getElementsByTagName('textarea'));

    }, 1);

})(window.document);

Answer 2

UPDATE

It seems now Chrome ignores the style="display: none;" or style="visibility: hidden; attributes.

You can change it to something like:

<input style="opacity: 0;position: absolute;">
<input type="password" style="opacity: 0;position: absolute;">

In my experience, Chrome only autocompletes the first <input type="password"> and the previous <input>. So I've added:

<input style="display:none">
<input type="password" style="display:none">

To the top of the <form> and the case was resolved.

Answer 3

Whilst I agree autocomplete should be a user choice, there are times when Chrome is over-zealous with it (other browsers may be too). For instance, a password field with a different name is still auto-filled with a saved password and the previous field populated with the username. This particularly sucks when the form is a user management form for a web app and you don't want autofill to populate it with your own credentials.

Chrome completely ignores autocomplete="off" now. Whilst the JS hacks may well work, I found a simple way which works at the time of writing:

Set the value of the password field to the control character 8 ("\x08" in PHP or  in HTML). This stops Chrome auto-filling the field because it has a value, but no actual value is entered because this is the backspace character.

Yes this is still a hack, but it works for me. YMMV.

Answer 4

Well, a little late to the party, but it seems that there is a bit of misunderstanding about how autocomplete should and shouldn't work. According to the HTML specifications, the user agent (in this case Chrome) can override autocomplete:

https://www.w3.org/TR/html5/forms.html#autofilling-form-controls:-the-autocomplete-attribute

A user agent may allow the user to override an element's autofill field name, e.g. to change it from "off" to "on" to allow values to be remembered and prefilled despite the page author's objections, or to always "off", never remembering values. However, user agents should not allow users to trivially override the autofill field name from "off" to "on" or other values, as there are significant security implications for the user if all values are always remembered, regardless of the site's preferences.

So in the case of Chrome, the developers have essentially said "we will leave this to the user to decide in their preferences whether they want autocomplete to work or not. If you don't want it, don't enable it in your browser".

However, it appears that this is a little over-zealous on their part for my liking, but it is the way it is. The specification also discusses the potential security implications of such a move:

The "off" keyword indicates either that the control's input data is particularly sensitive (for example the activation code for a nuclear weapon); or that it is a value that will never be reused (for example a one-time-key for a bank login) and the user will therefore have to explicitly enter the data each time, instead of being able to rely on the UA to prefill the value for him; or that the document provides its own autocomplete mechanism and does not want the user agent to provide autocompletion values.

So after experiencing the same frustration as everyone else, I found a solution that works for me. It is similar in vein to the autocomplete="false" answers.

A Mozilla article speaks to exactly this problem:

https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion

In some case, the browser will keep suggesting autocompletion values even if the autocomplete attribute is set to off. This unexpected behavior can be quite puzzling for developers. The trick to really force the no-completion is to assign a random string to the attribute

So the following code should work:

autocomplete="nope"

And so should each of the following:

autocomplete="false"
autocomplete="foo"
autocomplete="bar"

The issue I see is that the browser agent might be smart enough to learn the autocomplete attribute and apply it next time it sees the form. If it does do this, the only way I can see to still get around the problem would be to dynamically change the autocomplete attribute value when the page is generated.

One point worth mentioning is that many browser will ignore autocomplete settings for login fields (username and password). As the Mozilla article states:

For this reason, many modern browsers do not support autocomplete="off" for login fields.

• If a site sets autocomplete="off" for a form, and the form includes username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.
• If a site sets autocomplete="off" for username and password input fields, then the browser will still offer to remember this login, and if the user agrees, the browser will autofill those fields the next time the user visits this page.

This is the behavior in Firefox (since version 38), Google Chrome (since 34), and Internet Explorer (since version 11).

Finally a little info on whether the attribute belongs on the form element or the input element. The spec again has the answer:

If the autocomplete attribute is omitted, the default value corresponding to the state of the element's form owner's autocomplete attribute is used instead (either "on" or "off"). If there is no form owner, then the value "on" is used.

So. Putting it on the form should apply to all input fields. Putting it on an individual element should apply to just that element (even if there isn't one on the form). If autocomplete isn't set at all, it defaults to on.

Summary

To disable autocomplete on the whole form:

<form autocomplete="off" ...>

Or if you dynamically need to do it:

<form autocomplete="random-string" ...>

To disable autocomplete on an individual element (regardless of the form setting being present or not)

<input autocomplete="off" ...>

Or if you dynamically need to do it:

<input autocomplete="random-string" ...>

And remember that certain user agents can override even your hardest fought attempts to disable autocomplete.

Answer 5

TL;DR: Tell Chrome that this is a new password input and it won't provide old ones as autocomplete suggestions:

<input type="password" name="password" autocomplete="new-password">

---

autocomplete="off" doesn't work due to a design decision - lots of research shows that users have much longer and harder to hack passwords if they can store them in a browser or password manager.

The specification for autocomplete has changed, and now supports various values to make login forms easy to auto complete:

<!-- Auto fills with the username for the site, even though it's email format -->
<input type="email" name="email" autocomplete="username">

<!-- current-password will populate for the matched username input  -->
<input type="password" autocomplete="current-password" />

If you don't provide these Chrome still tries to guess, and when it does it ignores autocomplete="off".

The solution is that autocomplete values also exist for password reset forms:

<label>Enter your old password:
    <input type="password" autocomplete="current-password" name="pass-old" />
</label>
<label>Enter your new password:
    <input type="password" autocomplete="new-password" name="pass-new" />
</label>
<label>Please repeat it to be sure:
    <input type="password" autocomplete="new-password" name="pass-repeat" />
</label>

You can use this autocomplete="new-password" flag to tell Chrome not to guess the password, even if it has one stored for this site.

Chrome can also manage passwords for sites directly using the credentials API, which is a standard and will probably have universal support eventually.

Answer 6

I've solved the endless fight with Google Chrome with the use of random characters. When you always render autocomplete with random string, it will never remember anything.

<input name="name" type="text" autocomplete="rutjfkde">

Hope that it will help to other people.