Eligibility for autofill #831
Comments
cynthia
added
Topic: HTML
Review type: CG early review
torgo
added
privacy-tracker
|
Hi - can you clarify where this work is currently happening? Is this slated to be done in WICG? Has there been any engagement on this topic with other engines / browsers? |
|
Thanks for bringing this to our attention. We looked at this during our F2F, and overall we are happy with this. It solves an immediate user need, which is being able to autofill cross origin forms, which as far as the user is concerned should work like any other form. We have a couple points we'd like to discuss here, both of which are likely out of your immediate control but would like to see some progress on.
|
|
As @annevk said elsewhere, autofill "is a user interface feature and as such the call as to whether or not to make it work in a particular case is with the user agent and not the HTML Standard." If some browsers' autofill doesn't work with fields in Shadow DOM, for instance, that seems like a bug in such browsers, and not with the spec. |
|
Thank you all for the feedback and comments! Re @torgo We intend to pursue this in the WHATWG as part of the HTML spec, and are looking to drive consensus on the autofill definitions within that group. Re @cynthia
Re @hober Thanks Tess (and Anne!); we do appreciate and agree that autofill is a user interface feature. However, we think there is value in giving web developers some structure around what they can roughly expect, and in particular we think specing shared-autofill as a clear (though non-binding) signal to the browser is valuable. Much like how autocomplete="cc-number" is a valuable signal for web developers to know about. We're happy to work with Anne to find the right middle-ground of what to spec – see our latest reply in the WebKit request for positions where we changed the text, and we can keep iterating on that! |
|
Hi folks – We discussed this in today's TAG breakout. We remain concerned with the level of information available to the user about what they have agreed to share with whom via auto-fill. Is it possible to advise UA providers to surface this information to the user in some way "are you OK with sharing your cc number with ecommerce site who uses payment provider as a payment provider?" We also remain concerned about the multi-stakeholder buy in. If this is going to be adopted by the industry then we'd like to make sure it's widely adopted across browsers. Apart from that can you let us know any other status or updates? |
|
Just a note: we can make time on Monday or Tuesday at TPAC at the WPWG meeting to discuss this if people would find that useful. (Tuesday afternoon is particularly good.) |
|
Thanks Ian. I'll be there and happy to present for such a discussion if there's interest. |
|
A few of us met at TPAC to discuss this: @torgo, @stephenmcgruer, Gerhard Oosthuizen, @cynthia and myself. Here's my summary of the conversation, please let me know if I missed or mis-recalled anything. First Dan said the TAG wanted to understand how we could help web payments shift towards something better than forms long-term. We all agree that entering strings into text fields is a sub-optimal user experience for completing a payment. @stephenmcgruer described the many years of efforts from WPWG and others, and how the industry is continuing to shift towards payment apps - whether via PaymentRequest or some other mechanism on top of web platform primitives. We talked a bit about things we may (or may not) be able to do to further accelerate a reduction on reliance of input fields, but I think there was agreement that input fields weren't going to just go away anytime soon. Certainly @stephenmcgruer and I intend to continue investing in approaches in Chrome to help meet the needs of the payments industry outside of input fields, but feel we need to address this tactical and pragmatic issue with payment forms in parallel with that. Secondly we discussed my proposal above to shift the policy away from a nuanced implementation detail of autofill ( On Chrome, we'd like to proceed with some urgency in this direction. Our current thinking is that we'll update our proposal to use the permission name |
|
Hi @RByers - Discussed briefly today and there is rough consensus that this is the right approach. We'd like to see it written up in a revised proposal – is that in the works? |
|
Great, glad to hear it @torgo! I'm personally excited about taking steps towards making the web's model for user data acquisition more explicit... Yes @schwering is working on an updated proposal but it may be delayed a bit now as something more urgent came up for him. We'll ping this review whenever the explainer and spec PR have been updated. But also this is really just a change of positioning / long-term goal (and policy name) with the immediate next step otherwise unchanged. |
|
Hi @RByers! Just to clarify, after a quick conversation at our plenary meeting today — we would appreciate it if you could explore some abuse scenarios in your updated proposal. We had some concerns, and would really value your thoughts on how to mitigate any potential problems. Huge thanks! |
|
Hi @hadleybeeman, do you mean improving on the existing attack vectors section of the explainer which focuses on how the narrow case of autofill split across frames could potentially be abused? Or do you mean broaden the abuse discussion to autofill in 3p iframes generally (i.e. status quo in multiple browsers) and how the new proposal gives a path to potentially reduce that risk over time? Or maybe both? |
|
Hi @RByers - we just discussed in TAG plenary today and I think what we're asking for is more the first thing - expansion on the existing attack vectors discussion - although in my view "attack vectors" may be too narrow a framing. What we're concerned about is general abuse scenarios of this new proposal: given that this new proposal is in place, what are the abuse scenarios, including by actors who may be "legitimate actors", and what are the mitigations against those? In other words, how may this be mis-used by players in the web ecosystem? |
torgo
modified the milestones:
2023-11-13-week,
2023-07-31-f2f-Mos-Eisley,
2024-01-23-f2f-London
|
Hi @RByers - we were just briefly reviewing status on this. First of all, has there been any update that we should be aware of? Should we be re-reviewing at this point? |
|
Hi Daniel! I'm currently revising the proposal, broadening its scope from autofill to (keyboard) input in iframes. I'll update the thread here when I have something to share. |
こんにちは TAG-さん!
I'm requesting a TAG review of shared-autofill.
Payment service providers (PSPs) often distribute form controls (e.g., credit card number, CVC) over multiple distinct PSP iframes on a merchant checkout page. We propose a same-origin policy for autofilling such frame-transcending forms. Additionally, some less-sensitive fields from a PSP point of view (such as cardholder name) are often part of the main merchant frame instead of inside PSP iframes. For this case, we propose a policy-controlled feature which allows a parent frame to designate child frames as trusted for the purposes of Autofill, irrespective of their origin, allowing the browser to fully fill such cross-frame forms.
Further details:
We'd prefer the TAG provide feedback as:
💬 leave review feedback as a comment in this issue and @-notify @schwering, @stephenmcgruer
Questionnaire
2.1 What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
Our proposal restricts which origins a browser may share Autofill information with.
The HTML standard currently does not specify which kinds of information are shared, which user action (if any) is necessary to share the information, and which origins the information may be shared with. Most browsers display a list of suggestions when the user interacts with a form control, and they share the selected information with the form control’s document when the user confirms a suggestion.
We propose to restrict this information sharing to documents which either have the same origin as the form control the user interacted with or have the newly proposed
shared-autofillenabled. As a policy-controlled feature, only the first party can enableshared-autofillin child frames.2.2 Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
Yes, our proposal minimizes the scope the information is shared. It will improve transparency in the following way.
Today’s browsers do not fill across origins. Many payment service providers work around by posting autofilled information from one frame to other frames using postMessage(). Naturally, such workarounds break the preview of to-be-autofilled information built into many browsers. Our spec makes such workarounds obsolete and lets the browser preview and autofill form controls in cross-origin form documents (if
shared-enableis enabled in the respective document).2.3 How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
Our specification fills a gap in formalizing the conditions under which the browser may fill such information.
Our proposal allows sharing such information according to a same-origin policy and a newly proposed policy-controlled feature
shared-autofill, which can be passed by parent frames to their child frames to designate such frames as trustworthy for autofill purposes.As argued in 2.2, our proposal intends to make JavaScript workarounds obsolete and increase transparency.
2.4 How do the features in your specification deal with sensitive information?
See 2.3.
2.5 Do the features in your specification introduce new state for an origin that persists across browsing sessions?
No.
2.6 Do the features in your specification expose information about the underlying platform to origins?
No.
2.7 Does this specification allow an origin to send data to the underlying platform?
No.
2.8 Do features in this specification enable access to device sensors?
No.
2.9 Do features in this specification enable new script execution/loading mechanisms?
No.
2.10 Do features in this specification allow an origin to access other devices?
No.
2.11 Do features in this specification allow an origin some measure of control over a user agent’s native UI?
No.
2.12 What temporary identifiers do the features in this specification create or expose to the web?
None.
2.13 How does this specification distinguish between behavior in first-party and third-party contexts?
The first party can enable
shared-autofillin third-party child frames, and these child frames in turn can enableshared-autofillin their respective child frames. This behaviour is due toshared-autofillbeing a policy-controlled feature.2.14 How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
The proposal is unrelated to private browsing or incognito mode. A browser may decide to disable Autofill in such a mode.
2.15 Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
It doesn’t have sections with these titles, but it does have a section on attack vectors.
2.16 Do features in your specification enable origins to downgrade default security protections?
There are currently no security protections for Autofill. This proposal introduces default protections, as well as a policy-controlled feature that is disabled by default for cross-origin iframes.
2.17 How does your feature handle non-"fully active" documents?
Our specification excludes non-”fully-active” documents.
2.18 What should this questionnaire have asked?
It seems sufficient.
The text was updated successfully, but these errors were encountered: