有没有有效的方法来禁用 HTML 表单中的自动完成功能?
使用 xhtml1-transitional.dtd 文档类型时,使用以下 HTML 收集信用卡号
<input type="text" id="cardNumber" name="cardNumber" autocomplete='off'/>
将在 W3C 验证器上标记警告:
没有“自动完成”属性。
是否有符合标准的方法来禁用浏览器对表单中敏感字段的自动完成功能?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(18)
这里是 MDC 的一篇好文章,解释了表单自动完成的问题(和解决方案)。
Microsoft 也在此处发布了类似的内容。
老实说,如果这对您的用户来说很重要,那么以这种方式“打破”标准似乎是合适的。 例如,亚马逊大量使用“自动完成”属性,而且似乎效果很好。
如果您想完全删除警告,您可以使用 JavaScript 将属性应用到支持它的浏览器(IE 和 Firefox 是重要的浏览器),使用
someForm.setAttribute( "autocomplete", "off" ); someFormElm.setAttribute( "autocomplete", "off" );最后,如果您的网站使用 HTTPS,IE 会自动关闭自动完成功能(据我所知,其他一些浏览器也是如此)。
更新
由于这个答案仍然得到了相当多的支持,我只是想指出,在 HTML5 中,您可以在表单元素上使用“自动完成”属性。 请参阅 W3C 上的文档。
Here is a good article from the MDC which explains the problems (and solutions) to form autocompletion.
Microsoft has published something similar here, as well.
To be honest, if this is something important to your users, 'breaking' standards in this way seems appropriate. For example, Amazon uses the 'autocomplete' attribute quite a bit, and it seems to work well.
If you want to remove the warning entirely, you can use JavaScript to apply the attribute to browsers that support it (IE and Firefox are the important browsers) using
someForm.setAttribute( "autocomplete", "off" ); someFormElm.setAttribute( "autocomplete", "off" );Finally, if your site is using HTTPS, IE automatically turns off autocompletion (as do some other browsers, as far as I know).
Update
As this answer still gets quite a few upvotes, I just wanted to point out that in HTML5, you can use the 'autocomplete' attribute on your form element. See the documentation on W3C for it.
如果 W3C 提出一种适用于 (X)HTML4 的方法,我会感到非常惊讶。 自动完成功能完全基于浏览器,并在过去几年中引入(远在 HTML4 标准编写之后)。
不过,如果 HTML5 拥有这样的功能,我们也不会感到惊讶。
编辑:正如我所想,HTML5 <强>确实有这个功能。 要将页面定义为 HTML5,请使用以下文档类型(即:将其作为源代码中的第一个文本)。 请注意,并非所有浏览器都支持该标准,因为它仍处于草案形式。
I would be very surprised if W3C would have proposed a way that would work with (X)HTML4. The autocomplete feature is entirely browser-based, and was introduced during the last years (well after the HTML4 standard was written).
Wouldn't be surprised if HTML5 would have one, though.
Edit: As I thought, HTML5 does have that feature. To define your page as HTML5, use the following doctype (i.e: put this as the very first text in your source code). Note that not all browsers support this standard, as it's still in draft-form.
HTML 4:否
HTML 5:是
参考:W3
HTML 4: No
HTML 5: Yes
Reference: W3
不会,但浏览器自动完成功能通常是由与之前填写的字段具有相同
name属性的字段触发的。 如果您可以采用一种巧妙的方法来获得随机字段名称,则自动完成功能将无法提取该字段之前输入的任何值。如果您要为输入字段指定一个类似于“
email_”的名称,然后让接收此数据的脚本通过 POST 或 GET 变量循环查找某些内容匹配模式“email_[some number]”,您可以实现此目的,并且(实际上)保证成功,无论浏览器如何。No, but browser auto-complete is often triggered by the field having the same
nameattribute as fields that were previously filled out. If you could rig up a clever way to have a randomized field name, autocomplete wouldn't be able to pull any previously entered values for the field.If you were to give an input field a name like "
email_<?= randomNumber() ?>", and then have the script that receives this data loop through the POST or GET variables looking for something matching the pattern "email_[some number]", you could pull this off, and this would have (practically) guaranteed success, regardless of browser.不,Mozila Wiki 中有一篇好文章。
我将继续使用无效的
属性。 我认为这就是实用主义应该战胜验证主义的地方。No, a good article is here in Mozila Wiki.
I would continue to use the invalid
attribute. I think this is where pragmatism should win over validating.用JavaScript来设置怎么样?
它并不完美,但您的 HTML 是有效的。
How about setting it with JavaScript?
It's not perfect, but your HTML will be valid.
我建议捕获所有 4 种类型的输入:
参考:
I suggest catching all 4 types of input:
Reference:
如果你使用 jQuery,你可以做类似的事情:
并在你想要的地方使用 autocompleteOff 类:
如果你希望所有输入都是
autocomplete=off,你可以简单地使用它:If you use jQuery, you can do something like that :
and use the autocompleteOff class where you want :
If you want ALL your input to be
autocomplete=off, you can simply use that :另一种方法 - 这也有助于安全性是每次显示输入框时都将其称为不同的名称:就像验证码一样。 这样,会话就可以读取一次性输入,而自动完成则无需进行任何操作。
关于 rmeador 是否应该干扰浏览器体验的问题,我只想说一点:我们开发了联系人管理和联系人管理功能。 CRM 系统,当您将其他人的数据输入表单时,您不希望它不断地建议您自己的详细信息。
这适合我们的需求,但我们可以告诉用户获得一个像样的浏览器:)
Another way - which will also help with security is to call the input box something different every time you display it: just like a captha. That way, the session can read the one-time only input and Auto-Complete has nothing to go on.
Just a point regarding rmeador's question of whether you should be interfering with the browser experience: We develop Contact Management & CRM systems, and when you are typing other people's data into a form you don't want it constantly suggesting your own details.
This works for our needs, but then we have the luxury of telling users to get a decent browser:)
autocomplete="off"这应该可以解决所有现代浏览器的问题。在当前版本的 Gecko 浏览器中,自动完成属性可以完美运行。 对于早期版本,回到 Netscape 6.2,它适用于带有“地址”和“名称”的表单
更新
在某些情况下,浏览器将继续建议自动完成值,即使自动完成属性是设置为关闭。 这种意外的行为可能会让开发人员感到非常困惑。 真正强制不自动完成的技巧是为属性分配一个随机字符串,例如:
由于这个随机值不是
有效的,浏览器将给出向上。文档
autocomplete="off"this should fix the issue for all modern browsers.In current versions of Gecko browsers, the autocomplete attribute works perfectly. For earlier versions, going back to Netscape 6.2, it worked with the exception for forms with "Address" and "Name"
Update
In some cases, the browser will keep suggesting autocompletion values even if the autocomplete attribute is set to off. This unexpected behavior can be quite puzzling for developers. The trick to really forcing the no-autocompletion is to assign a random string to the attribute, for example:
Since this random value is not a
valid one, the browser will give up.Documetation
使用随机“名称”属性对我有用。
我在发送表单时重置了名称属性,以便您在发送表单时仍然可以通过名称访问它。 (使用id属性来存储名称)
Using a random 'name' attribute works for me.
I reset the name attribute when sending the form so you can still access it by name when the form is sent. (using the id attribute to store the name)
请注意,自动完成属性的位置存在一些混乱。 它可以应用于整个 FORM 标记或单个 INPUT 标记,并且在 HTML5 之前这并没有真正标准化(明确允许 两者 位置)。 较旧的文档最值得注意的是这篇Mozilla 文章仅提到了 FORM 标签。 同时,一些安全扫描器只会在 INPUT 标记中查找自动完成功能,如果缺少它,则会发出警告(即使它位于在父表单中)。 对这一混乱情况的更详细分析发布在此处:Confusion over AUTOCOMPLETE=OFF attribute in HTML forms。
Note that there's some confusion about location of the autocomplete attribute. It can be applied either to the whole FORM tag or to individual INPUT tags, and this wasn't really standardized before HTML5 (that explicitly allows both locations). Older docs most notably this Mozilla article only mentions FORM tag. At the same time some security scanners will only look for autocomplete in INPUT tag and complain if it's missing (even if it is in the parent FORM). A more detailed analysis of this mess is posted here: Confusion over AUTOCOMPLETE=OFF attributes in HTML forms.
不太理想,但是您可以在每次渲染文本框时更改文本框的 ID 和名称 - 您也必须在服务器端跟踪它,以便可以获取数据。
不确定这是否有效,只是一个想法。
Not ideal, but you could change the id and name of the textbox each time you render it - you'd have to track it server side too so you could get the data out.
Not sure if this will work or not, was just a thought.
我认为有一个更简单的方法。
创建一个具有随机名称的隐藏输入(通过 javascript)并将用户名设置为该名称。 重复输入密码。 这样您的后端脚本就可以准确地知道适当的字段名称是什么,同时保持自动完成功能不知情。
我可能是错的,但这只是一个想法。
I think there's a simpler way.
Create a hidden input with a random name (via javascript) and set the username to that. Repeat with the password. This way your backend script knows exactly what the appropriate field name is, while keeping autocomplete in the dark.
I'm probably wrong, but it's just an idea.
我在 2020 年做到了这一点!
我基本上创建了一个 css 类,将 -webkit-text-security 应用于我的输入。
这是最近讨论的链接:
https://stackoverflow.com/a/64471795/8754782
I MADE THIS WORK IN 2020!
I basically create a css class that applies -webkit-text-security to my inputs.
Here's the link to a more recent discussion:
https://stackoverflow.com/a/64471795/8754782
该解决方案适用于我:
如果您想在此区域使用自动填充:在元素中添加
autocomplete="false"前任:
This solution works with me:
if you want use autofill in this region: add
autocomplete="false"in elementex:
有效自动完成功能关闭
Valid autocomplete off