From 01a27005e5a1af7f2f7a0d755022d1302a5c2c45 Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Tue, 15 Nov 2022 02:51:58 +0100 Subject: [PATCH 1/7] Define eligibility for autofill Introduces a necessary condition for a user-agent to autofill a collection of form controls: A form control C is eligible for autofill if C's node document D is fully active and one of the following is true: - Some element is focused and its node document's origin is the same origin as D's origin. - The shared-autofill feature is enabled in document for D's origin. Above, "shared-autofill" refers to a new policy-controlled feature. Explainer: https://github.com/schwering/shared-autofill We have no Web Platform Tests because there is no JavaScript API for triggering Autofill. In particular, there is no API for storing or accessing data to be filled (e.g., a credit card). Chromium integration tests for autofilling forms that span multiple frames are here: https://crsrc.org/chrome/browser/autofill/autofill_across_iframes_browsertest.cc --- source | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 75 insertions(+), 4 deletions(-) diff --git a/source b/source index d4dcb7f79ef..d387f3d093b 100644 --- a/source +++ b/source @@ -4707,6 +4707,9 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute data-x="">cross-origin-isolated", which has a default allowlist of 'self'. +
  • "shared-autofill", which + has a default allowlist of 'self'.
    • @@ -44716,6 +44719,9 @@ interface HTMLTableCellElement : HTMLElement { <p><button>Submit order</button></p> </form> +

    User agents are not limited to the form controls of a specific form + in their automatic filling. In particular, they might consider fields from different documents + as explained in the eligible for autofill section.

    Improving the user experience on mobile devices
    @@ -55715,13 +55721,77 @@ form.method === input; // => true
    Autofill
    +

    Some user agents have features for helping users fill forms in, for example prefilling the + user's address based on earlier user input. They may autofill either an individual form control or + multiple controls at once.

    + +
    +

    A user agent might offer the user to automatically fill their address in a form like the + following.

    + + 
    <form method=post action="https://pizza.exampe.com/order.cgi">
+  <label> Name:        <input name=name></textarea> </label>
+  <label> Address:     <input name=address></textarea> </label>
+  <label> City:        <input name=city> </label>
+  <label> Postal Code: <input name=postal> </label>
+  <label> Country:     <select name=country>...</select> </label>
+</form>
    + +

    For example, the user agent could suggest values to fill when the user focuses or types in + one of the controls.

    +
    + +

    The user agent may fill multiple controls at once even if they have different + form owners, root elements, or even + node documents. However, the user agent must not fill in a + field if that field is not eligible for autofill.

    + +
    Eligibility for autofill
    + +

    A form control control is eligible for autofill if control's + node document document is fully active and one of the + following is true:

    + + + +
    +

    Consider the following page https://pizza.example.com/:

    + + 
    <form method=post>
+  <p> Cardholder name:    <input name=name>
+  <p> Credit card number: <iframe src="https://pay.example.com/number.html" allow=shared-autofill></iframe>
+  <p> Expiration date:    <input name=expiration-date>
+  <p> CVC:                <iframe src="https://pay.example.com/cvc.html" allow=shared-autofill></iframe>
+</form>
+<iframe src="https://ads.example.com/ad.html"></iframe>
    + +

    Let number.html and cvc.html each contain an + input.

    + +

    Suppose the user starts filling the cardholder name and the user agent offers to fill the + entire credit card form. The name and + expiration-date controls are eligible by means of their origin, and the + controls in number.html and cvc.html are eligible + due to the shared-autofill feature. + By contrast, none of the controls in ad.html is eligible because of the + distinct origins and the absent shared-autofill + feature; this prevents leaking to the ad server.

    +
    + +
    Autofilling form controls: the autocomplete attribute
    -

    User agents sometimes have features for helping users fill forms in, for example prefilling the - user's address based on earlier user input. The The autocomplete content attribute can be used to hint to - the user agent how to, or indeed whether to, provide such a feature.

    + the user agent how to, or indeed whether to, autofill a form control.

    @@ -134551,6 +134621,7 @@ INSERT INTERFACES HERE Christian Johansen, Christian Schmidt, Christoph Päper, + Christoph Schwering, Christophe Dumez, Christopher Aillon, Christopher Cameron, From 44e9a290aa00987253def0d28a0773069e799068 Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Thu, 23 Mar 2023 03:01:43 +0100 Subject: [PATCH 2/7] Feedback: remove input names and add iframe content --- source | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/source b/source index d387f3d093b..3ea803081c6 100644 --- a/source +++ b/source @@ -55730,11 +55730,11 @@ form.method === input; // => true     following.

    <form method=post action="https://pizza.exampe.com/order.cgi">
-  <label> Name:        <input name=name></textarea> </label>
-  <label> Address:     <input name=address></textarea> </label>
-  <label> City:        <input name=city> </label>
-  <label> Postal Code: <input name=postal> </label>
-  <label> Country:     <select name=country>...</select> </label>
+  <label> Name:        <input></textarea> </label>
+  <label> Address:     <input></textarea> </label>
+  <label> City:        <input> </label>
+  <label> Postal Code: <input> </label>
+  <label> Country:     <select>...</select> </label>
 </form>

    For example, the user agent could suggest values to fill when the user focuses or types in @@ -55766,28 +55766,34 @@ form.method === input; // => true

    Consider the following page https://pizza.example.com/:

    <form method=post>
-  <p> Cardholder name:    <input name=name>
+  <p> Cardholder name:    <input>
   <p> Credit card number: <iframe src="https://pay.example.com/number.html" allow=shared-autofill></iframe>
-  <p> Expiration date:    <input name=expiration-date>
+  <p> Expiration date:    <input>
   <p> CVC:                <iframe src="https://pay.example.com/cvc.html" allow=shared-autofill></iframe>
 </form>
 <iframe src="https://ads.example.com/ad.html"></iframe>

    Let number.html and cvc.html each contain an - input.

    + input:

    + + 
    <!doctype html>
+<html>
+ <body>
+  <input>
+</html>

    Suppose the user starts filling the cardholder name and the user agent offers to fill the - entire credit card form. The name and - expiration-date controls are eligible by means of their origin, and the - controls in number.html and cvc.html are eligible - due to the shared-autofill feature. + entire credit card form. The cardholder name and expiration date controls are eligible by means + of their origin, and the controls in number.html and + cvc.html are eligible due to the + shared-autofill feature. By contrast, none of the controls in ad.html is eligible because of the distinct origins and the absent shared-autofill feature; this prevents leaking to the ad server.

    -
    Autofilling form controls: the autocomplete attribute
    +
    The autocomplete attribute

    The autocomplete content attribute can be used to hint to From 88abc23c1205d802968c722939193909ff889297 Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Tue, 28 Mar 2023 19:05:22 +0200 Subject: [PATCH 3/7] The agent "should" instead of "must" only autofill eligible fields --- source | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/source b/source index 3ea803081c6..06b1ead0401 100644 --- a/source +++ b/source @@ -55743,7 +55743,7 @@ form.method === input; // => true

    The user agent may fill multiple controls at once even if they have different form owners, root elements, or even - node documents. However, the user agent must not fill in a + node documents. However, the user agent should not fill in a field if that field is not eligible for autofill.

    Eligibility for autofill
    @@ -109288,7 +109288,6 @@ function showLogout() { -

    Web workers

    Introduction

    From c4ad614aaa6f5bd2ca9665ea9cc370465b597c3e Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Thu, 25 May 2023 05:00:42 +0200 Subject: [PATCH 4/7] Feedback: ...traversible with user attention, indentation, newlines --- source | 81 ++++++++++++++++++++++++++++++---------------------------- 1 file changed, 42 insertions(+), 39 deletions(-) diff --git a/source b/source index 06b1ead0401..a2fe7c33133 100644 --- a/source +++ b/source @@ -44719,10 +44719,12 @@ interface HTMLTableCellElement : HTMLElement { <p><button>Submit order</button></p> </form> +

    User agents are not limited to the form controls of a specific form in their automatic filling. In particular, they might consider fields from different documents as explained in the eligible for autofill section.

    +
    Improving the user experience on mobile devices
    @@ -55726,70 +55728,70 @@ form.method === input; // => true multiple controls at once.

    -

    A user agent might offer the user to automatically fill their address in a form like the - following.

    - - 
    <form method=post action="https://pizza.exampe.com/order.cgi">
-  <label> Name:        <input></textarea> </label>
-  <label> Address:     <input></textarea> </label>
-  <label> City:        <input> </label>
-  <label> Postal Code: <input> </label>
-  <label> Country:     <select>...</select> </label>
+   
    A user agent might offer the user to automatically fill their address in a form like the
+   following.
    
+
+   
    <form method=post action="https://pizza.exampe.com/order.cgi">
+ <label> Name:        <input></textarea> </label>
+ <label> Address:     <input></textarea> </label>
+ <label> City:        <input> </label>
+ <label> Postal Code: <input> </label>
+ <label> Country:     <select>...</select> </label>
 </form>
    
 
-    
    For example, the user agent could suggest values to fill when the user focuses or types in
-    one of the controls.
    
+   
    For example, the user agent could suggest values to fill when the user focuses or types in
+   one of the controls.

    The user agent may fill multiple controls at once even if they have different - form owners, root elements, or even - node documents. However, the user agent should not fill in a - field if that field is not eligible for autofill.

    + form owners, root nodes, or even + node documents. However, the user agent should only fill in + controls that are eligible for autofill.

    Eligibility for autofill

    A form control control is eligible for autofill if control's - node document document is fully active and one of the - following is true:

    + node document document is a fully active descendant of a top-level + traversible with user attention and one of the following is true:

      -

    • Some element is focused and its node document's - origin is the same origin as - document's origin.

      • +

    • Some element is focused and its node document's + origin is the same origin as + document's origin.

      • -

    • The shared-autofill feature is enabled in - document for document's - origin.

      • +

    • The shared-autofill feature is enabled in + document for document's + origin.

    -

    Consider the following page https://pizza.example.com/:

    +

    Consider the following page https://pizza.example.com/:

    - 
    <form method=post>
-  <p> Cardholder name:    <input>
-  <p> Credit card number: <iframe src="https://pay.example.com/number.html" allow=shared-autofill></iframe>
-  <p> Expiration date:    <input>
-  <p> CVC:                <iframe src="https://pay.example.com/cvc.html" allow=shared-autofill></iframe>
+   
    <form method=post>
+ <p> Cardholder name:    <input>
+ <p> Credit card number: <iframe src="https://pay.example.com/number.html" allow=shared-autofill></iframe>
+ <p> Expiration date:    <input>
+ <p> CVC:                <iframe src="https://pay.example.com/cvc.html" allow=shared-autofill></iframe>
 </form>
 <iframe src="https://ads.example.com/ad.html"></iframe>
    
 
-    
    Let number.html and cvc.html each contain an
-    input:
    
+   
    Let number.html and cvc.html each contain an
+   input:
    
 
-   
    <!doctype html>
+  
    <!doctype html>
 <html>
  <body>
   <input>
 </html>
    
 
-    
    Suppose the user starts filling the cardholder name and the user agent offers to fill the
-    entire credit card form. The cardholder name and expiration date controls are eligible by means
-    of their origin, and the controls in number.html and
-    cvc.html are eligible due to the
-    shared-autofill feature.
-    By contrast, none of the controls in ad.html is eligible because of the
-    distinct origins and the absent shared-autofill
-    feature; this prevents leaking to the ad server.
    
+   
    Suppose the user starts filling the cardholder name and the user agent offers to fill the
+   entire credit card form. The cardholder name and expiration date controls are eligible by means
+   of their origin, and the controls in number.html and
+   cvc.html are eligible due to the
+   shared-autofill feature.
+   By contrast, none of the controls in ad.html are eligible because of the
+   distinct origins and the absent shared-autofill
+   feature; this prevents leaking information to the ad server.
    @@ -109288,6 +109290,7 @@ function showLogout() { +

    Web workers

    Introduction

    From 6e26441ec74e997cff47b8061699ca1485588676 Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Thu, 25 May 2023 05:03:35 +0200 Subject: [PATCH 5/7] Add note with examples for ignoring eligibility/shared-autofill --- source | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/source b/source index a2fe7c33133..98ba8219783 100644 --- a/source +++ b/source @@ -55764,7 +55764,7 @@ form.method === input; // => true     origin.

    -
    +

    Consider the following page https://pizza.example.com/:

    <form method=post>
@@ -55794,6 +55794,26 @@ form.method === input; // => true
    feature; this prevents leaking information to the ad server.

    +
    +

    The user agent does not have to fill in all eligible form controls, and it can fill + in form controls that are not eligible. In particular, it can ignore + shared-autofill depending on the type of data + to be filled and the relationships of the controls' node navigables. For example:

    + +
      +

    • The user agent can ignore shared-autofill + when filling in usernames and passwords which are associated to a specific + origin.

      • +

    • The user agent can ignore shared-autofill + in Documents whose navigable is not a descendant + of the fully active descendant of a top-level traversible with user attention + because payment form controls are frequently hosted in cross-origin iframes + like in the example above. +

    • The user agent can fill in cross-origin form controls because the user + consented.

      • +
    +
    +
    The autocomplete attribute
    From 37a17c061e8531fbfef0e43a577ae196c73ea06f Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Tue, 30 May 2023 03:03:26 +0200 Subject: [PATCH 6/7] Extend note and example This commit extends the example to explain how and why payment forms today use cross-origin iframes. It also extends the note to explain why a user agent might ignore share-autofill or fill in controls even when shared-autofil is disabled. --- source | 69 ++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 29 deletions(-) diff --git a/source b/source index 98ba8219783..5a9d07fa5ec 100644 --- a/source +++ b/source @@ -44721,7 +44721,7 @@ interface HTMLTableCellElement : HTMLElement {

    User agents are not limited to the form controls of a specific form - in their automatic filling. In particular, they might consider fields from different documents + in their automatic filling. In particular, they can consider fields from different documents as explained in the eligible for autofill section.

    @@ -55723,13 +55723,13 @@ form.method === input; // => true
    Autofill
    -

    Some user agents have features for helping users fill forms in, for example prefilling the +

    Some user agents have features for helping users fill in forms, for example prefilling the user's address based on earlier user input. They may autofill either an individual form control or multiple controls at once.

    -

    A user agent might offer the user to automatically fill their address in a form like the - following.

    +

    A user agent might offer the user to automatically fill their address in the following + form.

    <form method=post action="https://pizza.exampe.com/order.cgi">
  <label> Name:        <input></textarea> </label>
@@ -55739,11 +55739,11 @@ form.method === input; // => true
    <label> Country: <select>...</select> </label> </form> -

    For example, the user agent could suggest values to fill when the user focuses or types in +

    For example, the user agent could suggest values to fill when the user focuses or types into one of the controls.

    -

    The user agent may fill multiple controls at once even if they have different +

    The user agent may fill in multiple controls at once even if they have different form owners, root nodes, or even node documents. However, the user agent should only fill in controls that are eligible for autofill.

    @@ -55752,7 +55752,7 @@ form.method === input; // => true

    A form control control is eligible for autofill if control's node document document is a fully active descendant of a top-level - traversible with user attention and one of the following is true:

    + traversable with user attention and one of the following is true:

    • Some element is focused and its node document's @@ -55765,7 +55765,15 @@ form.method === input; // => true

    -

    Consider the following page https://pizza.example.com/:

    +

    In this example, the pizza store has outsourced payment processing to a service provider. To + comply with the payment industry standard PCI-DSS, certain form controls are hosted + in cross-origin iframes. Visually, these form controls integrate seamlessly with the pizza + store's look and feel; the user is not made aware of the controls' origins. +

    + +

    The checkout form on https://pizza.example.com/ has enabled + shared-autofill as a hint to the user agent to fill + in the entire payment form.

    <form method=post>
  <p> Cardholder name:    <input>
@@ -55775,7 +55783,7 @@ form.method === input; // => true
    </form> <iframe src="https://ads.example.com/ad.html"></iframe> -

    Let number.html and cvc.html each contain an +

    number.html and cvc.html each contain an input:

    <!doctype html>
@@ -55784,34 +55792,34 @@ form.method === input; // => true
    <input> </html> -

    Suppose the user starts filling the cardholder name and the user agent offers to fill the +

    Suppose the user starts typing the cardholder name and the user agent offers to fill in the entire credit card form. The cardholder name and expiration date controls are eligible by means of their origin, and the controls in number.html and cvc.html are eligible due to the shared-autofill feature. - By contrast, none of the controls in ad.html are eligible because of the - distinct origins and the absent shared-autofill - feature; this prevents leaking information to the ad server.

    + None of the controls in ad.html is eligible because of the distinct + origins and the absent shared-autofill feature; + this prevents leaking information to the ad server.

    -

    The user agent does not have to fill in all eligible form controls, and it can fill - in form controls that are not eligible. In particular, it can ignore - shared-autofill depending on the type of data - to be filled and the relationships of the controls' node navigables. For example:

    +

    Whether a form control is eligible for autofill by means of + shared-autofill might be beyond control of the + focused document: policy-controlled + features can be enabled or disabled by a parent document in its children, but not vice + versa. This reflects how form controls in cross-origin iframes are commonly seamlessly integrated + with the top-level document. The user agent might ignore + shared-autofill in documents that are not + descendants of the focused document, perhaps depending on the value that would be filled.

    -
      -

    • The user agent can ignore shared-autofill - when filling in usernames and passwords which are associated to a specific - origin.

      • -

    • The user agent can ignore shared-autofill - in Documents whose navigable is not a descendant - of the fully active descendant of a top-level traversible with user attention - because payment form controls are frequently hosted in cross-origin iframes - like in the example above. -

    • The user agent can fill in cross-origin form controls because the user - consented.

      • -
    +

    The user agent might generally ignore + shared-autofill in cross-origin frames + when filling in usernames and passwords since these credentials might be associated to a specific + origin.

    + +

    On the other hand, the user agent might fill in cross-origin form controls in the absence of + shared-autofill if it thinks this is the user's + intention, for example, because the user consented.

    @@ -134167,6 +134175,9 @@ INSERT INTERFACES HERE
    [PAYMENTREQUEST]
    Payment Request API, M. Cáceres, D. Wang, R. Solomakhin, I. Jacobs. W3C.
    +
    [PCI-DSS]
    +
    (Non-normative) PCI Data Security Standard — Information Supplement: Best Practices for Securing E-commerce. Payment Card Industry Security Standards Council.
    +
    [PDF]
    (Non-normative) Document management — Portable document format — Part 1: PDF. ISO.
    From 61821b72335fc9d5e8d4fe99733b4ef460779e0f Mon Sep 17 00:00:00 2001 From: Christoph Schwering Date: Thu, 22 Jun 2023 18:51:04 +0200 Subject: [PATCH 7/7] Fix line wrapping; remove blank line; fix typo --- source | 65 +++++++++++++++++++++++++++++----------------------------- 1 file changed, 32 insertions(+), 33 deletions(-) diff --git a/source b/source index 5a9d07fa5ec..a131f8235a3 100644 --- a/source +++ b/source @@ -44719,7 +44719,6 @@ interface HTMLTableCellElement : HTMLElement { <p><button>Submit order</button></p> </form> -

    User agents are not limited to the form controls of a specific form in their automatic filling. In particular, they can consider fields from different documents as explained in the eligible for autofill section.

    @@ -55743,10 +55742,10 @@ form.method === input; // => true one of the controls.

    -

    The user agent may fill in multiple controls at once even if they have different - form owners, root nodes, or even - node documents. However, the user agent should only fill in - controls that are eligible for autofill.

    +

    The user agent may fill in multiple controls at once even if they have different form owners, root nodes, or even node documents. However, the user agent should only fill in controls that are + eligible for autofill.

    Eligibility for autofill
    @@ -55755,25 +55754,25 @@ form.method === input; // => true     traversable with user attention and one of the following is true:

    In this example, the pizza store has outsourced payment processing to a service provider. To comply with the payment industry standard PCI-DSS, certain form controls are hosted in cross-origin iframes. Visually, these form controls integrate seamlessly with the pizza - store's look and feel; the user is not made aware of the controls' origins. -

    + store's look and feel; the user is not made aware of the controls' origins.

    -

    The checkout form on https://pizza.example.com/ has enabled - shared-autofill as a hint to the user agent to fill - in the entire payment form.

    +

    The checkout form on https://pizza.example.com/ has enabled shared-autofill as a hint to the user agent to fill in + the entire payment form.

    <form method=post>
  <p> Cardholder name:    <input>
@@ -55794,28 +55793,28 @@ form.method === input; // => true

    Suppose the user starts typing the cardholder name and the user agent offers to fill in the entire credit card form. The cardholder name and expiration date controls are eligible by means - of their origin, and the controls in number.html and - cvc.html are eligible due to the - shared-autofill feature. - None of the controls in ad.html is eligible because of the distinct - origins and the absent shared-autofill feature; - this prevents leaking information to the ad server.

    + of their origin, and the controls in number.html and cvc.html are eligible due to the shared-autofill feature. None of the controls in ad.html is eligible because of the distinct origins and the absent shared-autofill feature; this prevents leaking + information to the ad server.

    -

    Whether a form control is eligible for autofill by means of - shared-autofill might be beyond control of the - focused document: policy-controlled - features can be enabled or disabled by a parent document in its children, but not vice - versa. This reflects how form controls in cross-origin iframes are commonly seamlessly integrated - with the top-level document. The user agent might ignore - shared-autofill in documents that are not - descendants of the focused document, perhaps depending on the value that would be filled.

    - -

    The user agent might generally ignore - shared-autofill in cross-origin frames - when filling in usernames and passwords since these credentials might be associated to a specific - origin.

    +

    Whether a form control is eligible for autofill by means of shared-autofill might be beyond control of the focused + document: policy-controlled features can + be enabled or disabled by a parent document in its children, but not vice versa. This reflects + how form controls in cross-origin iframes are commonly seamlessly integrated with the top-level + document. The user agent might ignore shared-autofill in documents that are not descendants of + the focused document, perhaps depending on the value that would be filled.

    + +

    The user agent might generally ignore shared-autofill in cross-origin frames when filling in + usernames and passwords since these credentials might be associated with a specific origin.

    On the other hand, the user agent might fill in cross-origin form controls in the absence of shared-autofill if it thinks this is the user's