Would having this let authors somewhat more easily work around the intentionally-unsupported autocomplete="off"?
☆*PhistucK* On Tue, Apr 22, 2025 at 3:39 PM 'Christoph Schwering' via blink-dev < [email protected]> wrote: > Contact [email protected] > > Explainerhttps://github.com/explainers-by-googlers/safe-text-input/ > blob/main/autofill.md > > Summary > > The policy-controlled feature `autofill` indicates whether it is safe to > autofill fields in an embedded document. > > Enabling `autofill` in an iframe signals to the user agent that fields in > the embedded document may be autofilled together with fields in other > documents. Conversely, if `autofill` is disabled in a document, the user > agent may warn the user before autofilling any field in the document. > > A related feature is `manual-text`: > https://chromestatus.com/feature/5164522274553856 > > Blink componentBlink>FeaturePolicy > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3EFeaturePolicy%22> > > Motivation > > This specification improves data security while allowing browsers to > autofill forms more seamlessly: For end users, it is often difficult to > recognize third-party documents as such, let alone to identify the third > party and reason about its trustworthiness. With the policy-controlled > feature `autofill`, the embedding document expresses whether it considers > an embedded document trustworthy as far as autofill is concerned. The > browser can use this to warn the user when they choose to autofill fields > in an untrusted document, or it may even disable autofill. If, on the > other hand, the document is trusted (i.e., `autofill` is enabled), the user > agent may treat the fields in the subframe similar to those in the > embedding document and autofill them all at once. The primary use-case of > enabling `autofill` in cross-origin frames is credit card payments: for > compliance reasons, the most sensitive data (card number and CVC) are often > embedded from a third-party payment service provider in cross-origin > iframes. With `autofill`, those frames can be marked as trustworthy so the > user agent can autofill them seamlessly. Today, payment service providers > work around this using postMessage(): they trick the browser into > autofilling invisible fields and then send the autofilled values to the > other iframes. > > Search tagsautofill <https://chromestatus.com/features#tags:autofill>, > feature-policy <https://chromestatus.com/features#tags:feature-policy> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/831 > The TAG review started for an earlier proposal `shared-autofill`. After > feedback from TAG, we shifted the scope of the proposal from enabling > cross-origin autofill and other text input to controlling autofill in > cross-origin iframes. Shopify has expressed support > <https://github.com/w3ctag/design-reviews/issues/831#issuecomment-2619012166> > for the proposal. Mozilla > <https://github.com/mozilla/standards-positions/issues/752> and WebKit > <https://github.com/WebKit/standards-positions/issues/141> responses on > the earlier proposal `shared-autofill` were neutral. > > TAG review statusIn process > > Tracking bughttps://crbug.com/40178859 > > Launch bughttps://launch.corp.google.com/launch/4200980 > > Link to entry on the Chrome Platform Statushttps://chromestatus.com/ > feature/5066686516953088?gate=6437526022127616 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN-ZcvGbsgKM2MDy14TUdDW9W29vvrm3v-kR4PrSZCHuUOrAEA%40mail.gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAN-ZcvGbsgKM2MDy14TUdDW9W29vvrm3v-kR4PrSZCHuUOrAEA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABc02_JHVc-FwYxprnhZO39VCzPce9hGoEtnSMMd5EZ_JrWS_g%40mail.gmail.com.
