Modern browsers no longer respect autocomplete=off, causing false negatives

[mipearson]

I'm considering dropping negative_captcha and looking for other solutions as we're getting many false negatives as users auto-fill forms.

Before I do so, I'm wondering if anybody else has encountered this, and if they've been able to work around it within negative_captcha?

[markdavies]

I encountered this and found it much too difficult to work around, so ended up moving to the new version of Google reCaptcha

[mipearson]

I'm consider the same. I think a note about this should be added to the README.md to avoid nasty surprises.

[kirichkov]

I can also confirm! Recently I am getting many false positives (and complaints) too.

[mleone]

+1

[jfabre]

Seems like there's a fix we can use without having to remove the plugin: http://stackoverflow.com/questions/12374442/chrome-browser-ignoring-autocomplete-off

Not sure it applies to all browsers but all my false negatives were on chrome so...

[jfabre]

I actually added some jquery directly in my form as a workaround:

 $('input[autocomplete=off]').attr('autocomplete', 'false')

I don't know how long it's going to work on chrome...
As I understand it, anything else from on or off value will block chrome autocomplete.

[augnustin]

👍 Same issue here.

Many things to say here.

First I completely shocked to see chrome going away from W3C standards and making such a big change that breaks many many things in the whole web (negative captcha is not my single complete here, every autocomplete/typeahead pluggins are broken now).

Second, I tried various work arounds from the SO post, without success... I actually think they don't make any sense anyway. Same with @jfabre solution, does it really works??

Last, I am sure there are various solution to implement here. Google reCaptcha is not an option here for me: the user experienced is totally changed : from signing up to a web service (being a welcome human by default), you have to prove that you're a human. It is a single click, but still. Feels like I'm downloading some illegal album here.

And I find negative captcha idea so great that I don't want to sacrifice it! 😄

My workaround ideas for the moment are:

• adding a JS catch on submit that would make a smart check deleting auto-completed fields in some cases.
• restoring actual input field names: do robot actually only fill input fields that make sense?
• dive into Chrome auto-complete behavior and find a workaround.

What do you think?

[erik-megarad]

I'm listening to this conversation, but I don't have much experience in this area so I can't really contribute. If you guys settle on a consensus approach that appears to work, either make a PR or let me know what it is so that I can incorporate it into the gem.

As it stands, I'm hesitant to put anything in that is a temporary hack or that might break other browsers.

[augnustin]

3 years later I'm back.

Chromium sent me on this page: https://www.chromium.org/developers/design-documents/create-amazing-password-forms

I guess this means the negative-captcha approach is not acceptable anymore since browsers encourage us to describe how our forms work as precisely as possible ...

I'll look for an alternative. Any tip out there?

[xgotyou]

I think trend will only develop further. Also for me HTML fields having appropriate names (not mashed to hash values by negative captcha) fills right. Accessibility also important. So I don't see solution here to continue using negative captcha.

Even small probability being busted by false negative for user with negative captcha is worse then in case of positive captcha because in case of negative captcha most of your users don't even understand that you use captcha and though can not control result.

[erik-megarad]

Yeah, I would tend to agree. Since this project's inception, 10 years ago, common captcha technology has gotten better and less intrusive (reCAPTCHA, specifically). At the same time, the technology behind negative captcha has, like you guys have said, become infeasible.

It might be a reasonable idea to include negative captcha as a sort of pre-filter before a positive captcha. That way no human would be denied access, but maybe the majority of people would not be required to go through the normal captcha process. In this use case, a front-end only version of negative captcha would probably be best. In most cases, really, a front-end only version would probably be best.

Unfortunately I don't really have the time these days to make these types of changes.

[xgotyou]

Actually idea of using it as a pre-filter makes sense. If negative captcha fails you ask to complete positive captcha as a next step. Benefit - it maintains better user experience. But downside is logic complication.

But what do you mean by front-end only version? I don't see it quite clear. Can you describe it or post a link to description?

Also current reCAPTCHA is really good, but it don't really have alternatives. At least I can't find one.

[jonatasrancan]

Hey guys.

You can set an random string to the autocomplete options, to make it disabled.

> In some cases, the browser will keep suggesting autocompletion values even if the autocomplete attribute is set to off. This unexpected behavior can be quite puzzling for developers. The trick to really forcing the no-autocompletion is to assign a random string to the attribute, for example: autocomplete="nope"

[steinhaug]

I am wondering if the reason for browsers not respecting this being that they want to be able to autocomplete all inputs if possble, in a perfect world that is, but for that to work we cannot have attributes like = off in the mix.

It looks like setting autocomplete to something other than the defaults will turn it off, in my case I had a captcha I wanted to disable it for. Simply autocomplete=captcha solved it - naturally there was no autocomplete for this and the markup now looks so much more informative for say a google search robot trying to make sense of the form,

[erik-megarad]

If anyone wants to make a PR I'd be happy to put it in