Add autocomplete="off" to all generated hidden fields (fixes #42610)#43280
Merged
rafaelfranca merged 2 commits intorails:mainfrom Sep 22, 2021
Merged
Add autocomplete="off" to all generated hidden fields (fixes #42610)#43280rafaelfranca merged 2 commits intorails:mainfrom
rafaelfranca merged 2 commits intorails:mainfrom
Conversation
Member
|
Action text tests are broken. Can you take a look? |
Contributor
Author
Should be fixed by 58127ec. |
rafaelfranca
added a commit
that referenced
this pull request
Sep 22, 2021
Add autocomplete="off" to all generated hidden fields (fixes #42610)
andyundso
added a commit
to simplificator/datatrans
that referenced
this pull request
Feb 21, 2022
Looks like this was introduced to "fix" a bug in Firefox: rails/rails#42610 rails/rails#43280
andyundso
added a commit
to simplificator/datatrans
that referenced
this pull request
Feb 21, 2022
Looks like this was introduced to "fix" a bug in Firefox: rails/rails#42610 rails/rails#43280
andyundso
added a commit
to simplificator/datatrans
that referenced
this pull request
Feb 21, 2022
Looks like this was introduced to "fix" a bug in Firefox: rails/rails#42610 rails/rails#43280
kevindew
added a commit
to alphagov/whitehall
that referenced
this pull request
Mar 11, 2022
Starting in Rails 6.1.5 hidden inputs have autocomplete="off" set as an attribute, thus the test HTML needs to be updated. This is explained further in: rails/rails#43280
brendon
added a commit
to brendon/rails
that referenced
this pull request
Oct 31, 2024
rails#43280 introduced an enforced `autocomplete="off"` to all hidden inputs generated by Rails to fix a [firefox bug](https://bugzilla.mozilla.org/show_bug.cgi?id=520561). Unfortunately it's also a legitimate use-case to specify an `autocomplete` with a value such as `username` and a value on a hidden input. This hints to the browser that (in this example) the username of a password reset form is what we've provided as the value and the password manager can store it as such. This commit only sets `autocomplete="off"` if another `autocomplete` value isn't provided. Supersedes rails#47798 which didn't seem to be as elegant a solution and didn't have proper tests.
byroot
pushed a commit
to brendon/rails
that referenced
this pull request
Nov 15, 2024
rails#43280 introduced an enforced `autocomplete="off"` to all hidden inputs generated by Rails to fix a [firefox bug](https://bugzilla.mozilla.org/show_bug.cgi?id=520561). Unfortunately it's also a legitimate use-case to specify an `autocomplete` with a value such as `username` and a value on a hidden input. This hints to the browser that (in this example) the username of a password reset form is what we've provided as the value and the password manager can store it as such. This commit only sets `autocomplete="off"` if another `autocomplete` value isn't provided. Supersedes rails#47798 which didn't seem to be as elegant a solution and didn't have proper tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Firefox has a longstanding bug where it may populate hidden inputs without
autocomplete="off"with completely random values. Since Rails uses hidden fields extensively for e.g. CSRF protection and non-standard HTTP methods via_method, Firefox users interacting with otherwise-fine Rails apps will see random "Invalid Authenticity Token" errors and form inputs getting interpreted as the incorrect HTTP method, among other unexpected behavior. Addingautocomplete="off"does not appear to have any negative consequences for other browsers, and is valid HTML. There's more discussion and links at: #42610I recently bundled my workaround for this into a gem for Rails 6.1 apps,
rails-hidden_autocomplete, which I've now reworked into this PR so that it can benefit all Rails users & developers, since this bug is currently extremely frustrating to diagnose and fix in real-world apps (see also podqueue/rails-hidden_autocomplete#2).Other Information
I appreciate that this change might need to be gated behind a new framework default for ActionView, which I'd be happy to work on adding if that's the consensus.