Confusion over AUTOCOMPLETE=OFF attributes in HTML forms

2013-02-07 00:00:00 +0000

Before HTML5 location and scope of the autocomplete attribute was not really standardized, which causes some confusion both among programmers and pentesters. The autocomplete attribute iwill disable browser autocompletion in HTML forms when rendered by compliant browsers. It should be applied to fields containing sensitive data (passwords, credit card numbers) to prevent browsers from storing them in insecure storage for future autocompletion.

There’s however some confusion about location of the autocomplete attribute. Before HTML5 it was not standardized and the attribute implementation resembled rather a quick hack, with important consequences when you tried to use it as an audit reference.