According to the IE blog Eric Lawrence’s blog, IE 11 has an “improved Password manager” which “keeps [the] user in control”. So far so good (here at Mozilla, we’re all in favour of user control :-), but it then goes on to say that one of the ways it does so is that it “ignores autocomplete=off”.

autocomplete=off is the way that pages give a “hint” to the browser as to what sort of form autocomplete behaviour they should provide. Ignoring it is, as I read the HTML5 spec, permitted, and one can see the superficial attractiveness of this. I’m sure we’ve all come across pages where the form fields won’t save even when we want them to.

However, we at Mozilla have never agreed to ignore this attribute across the entire web to “fix” this problem, because what we think would happen then (and what may happen with IE) is that sites implement non-standard workarounds. For some people, such as banks, stopping the browser storing authentication credentials is a business requirement – no argument. And if we don’t provide a standards-compliant way of doing it, they’ll use a non-standard one. For example, they might read the form fields out in an onsubmit() handler, then blank them, and submit the values in differently-named hidden form fields – so when the submit happens, the browser “sees” those fields as empty and doesn’t save anything. This is worse because it means the page requires JavaScript, but also because it’s much harder or impossible for particular individuals to disable such work-around mechanisms (e.g. those with accessibility needs which make filling in form fields much harder, and who want to make a different trade-off).

Ignoring autocomplete=”off” leads to an arms race, with users as the losers. So I hope Microsoft reconsider this move.