> On the other hand, if all browsers collectively chose to completely > ignore autocomplete=off, that might allow proceeding more > aggressively. > Sure, and that's why we're bringing it up with the > standards body. Before we proceed any further, we want to make sure that > (a) our intention is known, and (b) make sure we're not missing anything > critical. So far, the arguments in favor of autocomplete='off' are pretty > much as we already understood them. >
Any legal perspective? Banks/financial sites may want autocomplete=off because the user is responsible for keeping his password safe. What happens in the case of fraud? Is the password manager/browser liable? The bank? The user? Who gets sued? That's probably the concern, maybe a liable="user" attribute with popup "hey by using auto-complete manager... do you agree to these risks, insert TOS here..." ?