Intent to Prototype: Policy-controlled feature `autofill`
Christoph Schwering
Contact emails
schw...@google.comExplainer
https://github.com/explainers-by-googlers/safe-text-input/blob/main/autofill.mdSummary
The policy-controlled feature `autofill` indicates whether it is safe to autofill fields in an embedded document.
Enabling `autofill` in an iframe signals to the user agent that fields in the embedded document may be autofilled together with fields in other documents. Conversely, if `autofill` is disabled in a document, the user agent may warn the user before autofilling any field in the document.
A related feature is `manual-text`: https://chromestatus.com/feature/5164522274553856
Blink component
Blink>FeaturePolicyMotivation
This specification improves data security while allowing browsers to autofill forms more seamlessly: For end users, it is often difficult to recognize third-party documents as such, let alone to identify the third party and reason about its trustworthiness. With the policy-controlled feature `autofill`, the embedding document expresses whether it considers an embedded document trustworthy as far as autofill is concerned. The browser can use this to warn the user when they choose to autofill fields in an untrusted document, or it may even disable autofill. If, on the other hand, the document is trusted (i.e., `autofill` is enabled), the user agent may treat the fields in the subframe similar to those in the embedding document and autofill them all at once. The primary use-case of enabling `autofill` in cross-origin frames is credit card payments: for compliance reasons, the most sensitive data (card number and CVC) are often embedded from a third-party payment service provider in cross-origin iframes. With `autofill`, those frames can be marked as trustworthy so the user agent can autofill them seamlessly. Today, payment service providers work around this using postMessage(): they trick the browser into autofilling invisible fields and then send the autofilled values to the other iframes.