
Chrome’s requestAutocomplete() - teej
http://blog.alexmaccaw.com/requestautocomplete
======
MatthewPhillips
Seeing a bad trend here lately, and at IO, where they continually talk about
Chrome as a platform. Not the web, Chrome. I read Chromium bugs about Chrome
specific APIs and never see any indication that there is intent at
standardization. To be clear, I believe in browser vendors innovating with
their own APIs with an eye towards eventually standardization. This is what
Mozilla is doing through WebAPI, for example, but I don't hear anything like
that from the Chrome team. What I see is that parts of Google are involved in
web standards, of course, but particularly Chrome seems entirely focused on
themselves as the platform.

~~~
pixelcort
A quick test would be this: are there any APIs in Stable/Release versions of
Chrome that have not been submitted to any standards group?

~~~
bzbarsky
Sure there are (some inherited from WebKit).

Though note that submitting and then completely ignoring the standards group
(which has also happened) is not much better than not submitting at all.
Especially if the submission doesn't actually give much more than the name of
the API and a general idea of what it does.

~~~
YesThatTom2
"completely ignoring the standards group"?

Look at their off-line standard. They took it to the standardization body who
changed it so completely that it was a different beast. Google did the right
thing and phased out their old legacy stuff and switched to the standard. In
fact IIRC they didn't even put the legacy stuff in Chrome.

~~~
bzbarsky
Sure. There are lots of parts of Google and Chrome that play very nice with
standards groups and whatnot.

And there are various other parts that don't.

------
nostromo
This will be a huge boon to conversion rates.

Auto-complete has always been incredibly flaky for me. And personally I find
that reaching for the credit card is the point where I think, "do I really
want this?"

It's as if Google is bringing Amazon's "one-click" checkout to all Chrome
users.

~~~
eurleif
>It's as if Google is bringing Amazon's "one-click" checkout to all Chrome
users.

Shutupshutupshutup, don't ruin this. ;) (<http://en.wikipedia.org/wiki/One-
click_patent>)

~~~
_nb
Ah, but you see, it's "two-click" checkout. So we're good, right?

~~~
Yrlec
Or "mouse over" checkout. Imagine the conversion ratios!

------
geuis
Oh I am sure there are good uses for this but the code sample scares the pants
off me. Never ever evah do the following:

    
    
        form.addEventListener('autocomplete', function(){
          form.submit();
        });
    

This does not give the user any time to review or update the information that
the browser autocompletes.

Always show the user what information is being sent, always give them an
option to change it.

~~~
nolok
It is my understanding that the "autocomplete" event being referenced here, is
after you 1 - ask the browser to autocomplete, 2 - the user is shown what will
be shared, and accept to share it.

That would cover it (by comparison the scenario you think of would be crazy
terrible).

~~~
shock-value
Well, I would expect those two actions to pre-fill the form data. I wouldn't
expect them to also submit the form. I think that's the issue.

~~~
jschmitz28
I think in that case it would be almost the same as a malicious site calling
form.submit() after detecting in javascript that all of the fields have been
filled out. It would have a slightly worse accuracy, though, since the user
has not yet double checked that the form is correct. Does anyone know if there
are laws related to this? I could definitely see it being illegal to
automatically submit forms that result in financial transactions.

~~~
eurleif
Look at the screenshot. The permissions dialog shows exactly what information
is being submitted, and is labelled 'submit payment details'. No one should be
misled.

------
timothya
One of the best use cases for this is on mobile. Conversion rates on mobile
are really low because users usually don't want to dig out their credit cards
when on their smartphone, let alone fill in all their details on a tiny
screen. The ability to just tap a couple of times and use their existing
billing information (which is synced from their desktop browser) is a huge
win. And as mobile becomes the more popular way to browse the web, I think
this could be a pretty big deal for online sellers.

~~~
crdoconnor
I don't know about anybody else, but I seriously do not trust my smartphone's
OS with my credit card number.

------
r00fus
The main issue I have with autocomplete is that the data can vary by site -
which means stale data is possible.

I don't use autocomplete, I use 1password, which guarantees my information is
as up to date as I want it to be for all sites.

Perhaps browser extensions like 1Password can also leverage this to keep your
autocomplete data up to date with your main contact/credit details?

~~~
sharth
The initial implementation appears to be targeted to e-commerce sites. Your
username and password are not included in the fields that this can populate.

Here are the supported fields:

* Contact: name, tel, email

* Shipping: street-address, address-line1, address-line2, locality, region, country, postal-code

* Billing: street-address, address-line1, address-line2, locality, region, country, postal-code

* Payment: cc-name, cc-number, cc-exp, cc-csc, cc-type

~~~
r00fus
1Password allows one to autofill credit card, address and other fields as
well, you know. I use that almost as frequently as the passwords.

~~~
sinofer
I use lastpass for the purpose. But I can imagine baking it into the browser
will lead to higher conversion rates especially on mobile.

------
bpicolo
Autocompleting billing details without even having a form shown seems like a
terrible idea. How does someone with autocomplete enabled not suddenly find
themselves missing bundles of money?

~~~
simonbrown
Chrome displays a permission dialog.

~~~
bpicolo
I missed that part, thanks. I still feel like it could be abusable.

~~~
jerf
One possible exploit I can think of would be to put up a form that doesn't
have an _visible_ credit card fields, but somehow convincing the autofill code
to fill it in anyhow. The user thinks they are just autofilling their email
but in hidden fields are populating their credit card info. It would be easy
to not fill in <input type="hidden"> fields, but field inputs that are more
literally hidden (off the top of the screen, obscured by other elements,
white-on-white text and elements, etc) is a harder problem. I could see a user
clicking through the popup without noticing the popup mentions more info than
they realize, because the user is expecting it already and doesn't carefully
examine it.

~~~
notaddicted
That will have to be addressed by the Chrome permissions dialog ... Agreed
though, I think it would be wise to make the user type-in their CVC or
something before transmitting the payment info.

------
jimbobimbo
Fun fact: Internet Explorer 6 had features called "Wallet" and "My Profile".
The data you'd put there would be picked up by HTML forms that use so called
"VCARD scheme".

[http://msdn.microsoft.com/en-
us/library/ie/ms533032%28v=vs.8...](http://msdn.microsoft.com/en-
us/library/ie/ms533032%28v=vs.85%29.aspx)

~~~
atesti
That is strangely true for many new features: They all all already been there
at one point in the monopolistic Internet Explorer. e.g. CSS expressions from
IE will now have a comeback, RSS was Active Channels, IE had HTML tooltips
that went beyond the window, a fullscreen api (much abused), localstorage was
domstorage, shadow DOM were behaviours, css filters were directxfilters...

------
mildweed
Why is this needed in the markup? The autocomplete attribute is plenty.
Everything else is just how the browser handles that attribute...

<http://css-tricks.com/snippets/html/autocomplete-off/>

~~~
nostromo
Autocompleted data is not available to js -- that would be a huge security
issue.

------
msoad
On other hand people use random-id to PREVENT autofill in most of payment
forms which I don't understand!

------
AaronFriel
Excuse the common FUD trope:

1\. Embrace

2\. Extend <\-- Google Chrome just went here.

3\. Extinguish

What would people say if Microsoft implemented a new JavaScript API in their
browser that only they had access to the spec for?

~~~
blinks
<http://wiki.whatwg.org/wiki/RequestAutocomplete> ?

~~~
AaronFriel
That's a promising sign, at least. I was wrong, they posted at least _some_
sort of draft. That's good, and hopefully keeps them on "embrace".

~~~
cdmckay
Maybe next time do a cursory search before jumping to conclusions? The WHATWG
spec is the first link when you search for "requestAutocomplete" on Google.

------
mschuster91
Biggest problem: many small shops, especially Wordpress shop themes and many
self-written shops don't use the autocomplete="..." attribute to properly
indicate autocompletion support...

~~~
danbeam
Hi mschuster91,

I'm the other presenter from the I/O video. We hope to contribute to popular
open source cart software in the near future so that vendors creating a quick
shop can benefit from [autocomplete] attributes baked in by default.

------
intropic
I love the idea of being able to autofill a form on page load using the
browsers own history! Also, I'm highly impressed if indeed this is being added
to chrome based on something Alex asked for.

~~~
danbeam
Hey intropic, requestAutocomplete() is only invokable in response to a user
action (load's not considered that), so it's more likely that this would be
done when you click a "checkout" button or something like that.

------
livingparadox
This terrifies me on a security level... I understand there is a permission
dialog, but I very much would not like me credit card information available
unless I type it in...

~~~
toomuchtodo
And that's perfectly fine. Disable its storage in Chrome for autocompletion.
My credit cards have zero liability, so, store away Google.

------
quackerhacker
Bad Idea? I'm a web dev and maybe some other people could weigh in here on the
privacy concern I could imagine from this. Scenario below.

1\. you visit site: whatever.com

2\. I have a hidden input with a name="address"

3\. I have an onchange event listener for the hidden input

4\. Now auto complete fills in automatically and I just associated your ip
with your address (assuming the the auto fill is correct).

I always think this whenever I hear about auto complete. I NEVER save form
data just for this reason.

~~~
aiiane
requestAutocomplete pops up a permission dialog to the user, it's not
automatic on sites you haven't already granted permission to - the article
mentions this.

~~~
dlib
What if I permit a site to autocomplete my email, address etc. but not my
credit-card. Then, after the permission is given the form is changed to ask
for a credit-card.

I'm sure this is all thought trough but I'll wait for a bit before using this.

~~~
quackerhacker
Great point! This is why I'm always a little hesitant whenever I hear about
auto complete abilities. Just the knowledge that your storing personal info
(whether it's hashed and salted or not), and authorizing the browser to
determine when it is convenient for you not to type.

What my privacy concern is just a javascript phishing attack (nothing too
complicated that a beginner can do). Not to say this feature wouldn't be nice,
just making the suggestion that there is alot of room for concern here.

------
estade
Hi all. I'm one of the devs who presented this at Google IO:
[http://www.youtube.com/watch?v=1M50AXPd0Tg&feature=youtu...](http://www.youtube.com/watch?v=1M50AXPd0Tg&feature=youtube_gdata)

If you have questions or feedback, you can reach out to us at
requestautocomplete@chromium.org. I'll also try to answer some of the
questions on this thread.

------
hrktb
It's a very interesting feature. What would be the best fit for it?

Home address would be too complex with too much variations, same thing for
gender or title. Login/password would be better handled by a token cookie...

It seems to be best used for email or phone number fields, or other very
standardized data only.

Addendum: the example given in the post would be bad, as for most credit card
forms you would want a control code input, and generaly wouldn't want to
encourage sensitive data to be autocompleted.

------
chocolateboy
Streamlining credit card payments is like improving CVS. It's still a
skeuomorphic, Flintstones way of paying for something online. There are better
solutions in the works that focus on innovating rather than renovating:

<https://payswarm.com/>

<https://www.youtube.com/watch?v=02vX36Ntxxk>

------
hhm
I can only see all the potential the security issues for this idea. I don't
think I would have this enabled with my credit card details.

~~~
ricardobeat
It's the same as the form autocomplete you already have, only now it can be
initiated from js.

