Now that Mavericks is out, and it can use autofill to handle credit card info, are there specific field names they look for?
Well I'm not sure exactly about how Mavericks handles it but in chrome you can accomplish autofill in a way like this:
<form method="post" autocomplete="on">
<input name="cc-name" autocomplete="cc-name" type="text" placeholder="Full Name" required />
<input name="cc-number" autocomplete="cc-number" type="text" placeholder="Credit Card Number" required />
<input name="cc-exp" autocomplete="cc-exp" type="text" placeholder="Expire Date" required />
<input type="submit" name="submit" value="Send my personal info to this person.." />
</form>
If safari works how chrome does it might have a regex scanner that looks for familiar terms and fills it in to the best of it's ability. It's very difficult to find any full details on how properly write an autocomplete form. The best bet is try it out and see what works then update your post with your results.
From my research it seems that for an autocomplete form to be filled with credit card info the web page MUST be under a secure domain ( https:// )
This is a list of all the autofill values that might work http://www.whatwg.org/specs/web-apps/current-work/multipage/association-of-controls-and-forms.html#autofill-field
Good luck! and don't abuse it.. That being said, not too many people will actually have their credit card set up for autofill for security reasons. I personally wouldn't for the risk of someone abusing the autofill feature and stealing my information with malicious JavaScript.
Related
How to prevent chromium based browser from sugesting personal information autofill for specific input?
<div class="form-group">
<label class="control-label" for="Nomenclature"> Nomenclature</label>
<input name="Nomenclature" class="form-control" id="Nomenclature" type="text" value="" autocomplete="off">
</div>
Somehow MS Edge assume this input is personal information, but it's not. As you can see, autocomplete is off for this input, so I guess Personal Information don't respect this attribute.
This behaviour is very annoying for users, because this input must be unique.
There are also other inputs in my portal that have this behaviour, and it makes no sense to users.
Simply add autocomplete="off" with form
More details:
https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Turning_off_form_autocompletion
How do I prevent a form from suggesting auto-complete values, from previous entries or from saved information in Edge?
In the above image, the email input field is marked as autocomplete="false", but still in the right pane you can see the suggestion is populating.
When I add autocomplete=disabled to one field it seems it work, but when I add the attribute to all the inputs, it again starts displaying suggestions for every field.
What is the solution for this?
Add the aria-autocomplete="list" attribute to the input.
<input type="text" id="FirstName" name="attr1" aria-autocomplete="list">
Do not use any other value for the attribute.
According to your description, I reproduced the problem. I think your issue is caused by the "Save and fill personal info" setting being enabled in Edge.
If you navigate to edge://settings/personalinfo and disable this feature, you can see this behavior no longer exists.
Or you can also click the "Manage personal info" option in the picture you provided, and then disable it.
I did some simple tests and found that if you need to solve the problem from the code, you need to modify the name attribute of the form's related field.
Like this(do not use attribute values like name or email... and maybe there are others I am not aware of):
<label for="attr1">attr1:</label>
<input type="text" id="FirstName" name="attr1">
<label for="attr2">attr2 :</label>
<input type="text" id="LastName" name="attr2">
<label for="attr3">attr3 :</label>
<input type="email" id="Email" name="attr3" autocomplete="off">
<input type="submit">
I don't recommend this, because good naming helps you understand and maintain the code. Using proper attributes like name and email also helps your code be more accessible for screen readers or other assistive technology.
I have a basic text input for a login form and I'd like the browser to remember email addresses that the user has entered, but it's not working. I don't think I should need to add a full auto-complete system to get this to work since it's something the browser should be doing. I don't see anything special on sites I've visited where this works.
If I search for this problem all the answers are about disabling autocomplete.
Here's my login form:
<form id="login-form">
<fieldset>
<input id="email" type="email" placeholder="Your email" required="" >
<input id="password" type="password" placeholder="Pick a good password" required="" minlength="6">
<button class="login">Register</button>
</fieldset>
</form>
So the problem here seems to be that I didn't have a "name" attribute on my input. It also seems that I need to have specific values for the name. "email" works and "login" works, but "user_email" and "foo" don't work.
Surprisingly this started working as soon as I added 'name="email"' to the input, so it seems that Chrome was saving the values, but wasn't showing them.
This simple input is all you need for Chrome to do email autocomplete:
<input name="email">
I do not believe that you can force a user's browser to autocomplete.
HTML5 has an autocomplete form attribute.
Here is the W3C spec for autocomplete attribute.
However, even if you set this attribute to "on", the autocomplete of HTML forms is going to depend on the client's browser settings and configuration.
Although you can, as you said, disable autocomplete, there is not a way you can force the user's browser to autocomplete a form if they configure their browser not to remember form history.
For example, here is how to disable autocomplete for Firefox: https://developer.mozilla.org/en-US/docs/Mozilla/How_to_Turn_Off_Form_Autocompletion
We are working with paypal payments standard in our website. When users fill up their request in our site and press the paypal button "Buy Now" we submit all the variables to paypal so they can process the payment.
For those users who have never been to paypal before and they are paying through our site it works perfectly well since it prompts for the credit card information automatically.
BUT: for those users who have been in paypal before we noticed that cookies are stored in the computer, and the user is prompted to login automatically before asking for their credit card information.
We want to have paypal always ask for the credit card information and leave the login to pay using paypal as an option.
Is there any variable we can send to paypal in order to force them to directly ask for the credit card information?
So far we found these variables to auto complete the credit card fields and they work great:
<input type="hidden" name="country" value="" />
<input type="hidden" name="first_name" value="" />
<input type="hidden" name="last_name"value="" />
<input type="hidden" name="address1" value="" />
<input type="hidden" name="city" value="" />
<input type="hidden" name="state" value="" />
<input type="hidden" name="zip" value="" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="night_phone_a" value="" />
<input type="hidden" name="night_phone_b" value="" />
<input type="hidden" name="night_phone_c" value="" />
For those looking more information about PayPal Form variables here is the reference:
https://cms.paypal.com/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_html_formbasics
I found a solution for the html-form, it is not documented by paypal*(!):
<input type="hidden" name="landing_page" value="Login" />
or
<input type="hidden" name="landing_page" value="Billing" />
This pray the paypal login to view the required form. Have fun.
* - Not documented, but there is some information.
Based on the other answers, comments, and votes to close, I think there is some confusion.
There are two legitimate options for users. Either enter payment information or login with an existing account. This can be somewhat confusing for users, who may or may not know/remember their login information. Last I checked, you do not need a PayPal account to use PayPal Standard payments (although I do believe CC# and contact info are checked against existing accounts if you don't login).
To answer the original question, I don't have first-hand experience overriding this behavior, but it may be possible.
https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_api_nvp_r_SetExpressCheckout
(See the LANDINGPAGE parameter)
(Optional) Type of PayPal page to display. It is one of the following
values:
Billing – Non-PayPal account Login – PayPal account login
Paypal will always lean towards encouraging existing users to login (which makes sense from a marketing/retention perspective and also from a security perspective).
Unfortunately it's impossible by design. And it's not for security, in fact it's a much more cynical reason that they do it:
PayPal gets charged a small percentage of all credit card transactions, so the said feature is in fact a thinly veiled attempt to discourage users from using a credit card.
To top it off there is nothing you can do about it! PayPal's API does not currently have a variable which controls this behaviour available to developers.
You may want to consider a different payment tool if taking credit card payment by default is important to you, although in my opinion money is money.
#Robert wrote the answer in one of the comments:
LANDINGPAGE is a parameter for Express Checkout, not for Website Payments Standard. Website Payments Standard doesn't support an equivalent to 'LANDINGPAGE'. If you want to force the credit card landing page to be displayed, you'll need to integrate PayPal Express Checkout.
So there you go, #Robert, actually that is the answer I got straight from Paypal.
Probably not. This is a PayPal security feature. No amount of cookies, sessions, or gathered information in the world is more secure than logging in AGAIN.
My site suffers from a lot of spam bots. If I have the login form:
<input name="username" type="hidden" />
<input name="password" type="hidden" />
<input name="hidden_1" type="text" />
<input name="hidden_2" type="password" />
So the user actually see's the 'hidden' prefix fields, and the username/password named fields are actually the hidden ones. If the username or password field is submitted with values, we know bot filled them out and can ban them.
My question is, do browsers auto fill hidden fields? Is this quite a good technique? I know this isn't going to stop all bots that are semi intelligent, but if this even blocks 1 bot, without affecting any genuine users it's worth doing.
I think that not all bots just search for "username" and "password" names, but also type="password". So this might not avoid bot access at all.
You can use a capture like ReCAPTCHA. It is free and easy to use. Additionally you can create a banlist and show a 404 to bots via htaccess.
This article might help you:
http://www.smashingmagazine.com/2011/03/04/in-search-of-the-perfect-captcha/
Your method is actually fairly decent, but you may still suffer from some spam, especially if forms are manually filled out