Add autocomplete="off" to all generated hidden fields (fixes #42610) #43280
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Action text tests are broken. Can you take a look? |
Should be fixed by 58127ec. |
rafaelfranca
added a commit
that referenced
this pull request
Sep 22, 2021
Add autocomplete="off" to all generated hidden fields (fixes #42610)
andyundso
added a commit
to simplificator/datatrans
that referenced
this pull request
Feb 21, 2022
Looks like this was introduced to "fix" a bug in Firefox: rails/rails#42610 rails/rails#43280
andyundso
added a commit
to simplificator/datatrans
that referenced
this pull request
Feb 21, 2022
Looks like this was introduced to "fix" a bug in Firefox: rails/rails#42610 rails/rails#43280
andyundso
added a commit
to simplificator/datatrans
that referenced
this pull request
Feb 21, 2022
Looks like this was introduced to "fix" a bug in Firefox: rails/rails#42610 rails/rails#43280
kevindew
added a commit
to alphagov/whitehall
that referenced
this pull request
Mar 11, 2022
Starting in Rails 6.1.5 hidden inputs have autocomplete="off" set as an attribute, thus the test HTML needs to be updated. This is explained further in: rails/rails#43280
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Firefox has a longstanding bug where it may populate hidden inputs without
autocomplete="off"with completely random values. Since Rails uses hidden fields extensively for e.g. CSRF protection and non-standard HTTP methods via_method, Firefox users interacting with otherwise-fine Rails apps will see random "Invalid Authenticity Token" errors and form inputs getting interpreted as the incorrect HTTP method, among other unexpected behavior. Addingautocomplete="off"does not appear to have any negative consequences for other browsers, and is valid HTML. There's more discussion and links at: #42610I recently bundled my workaround for this into a gem for Rails 6.1 apps,
rails-hidden_autocomplete, which I've now reworked into this PR so that it can benefit all Rails users & developers, since this bug is currently extremely frustrating to diagnose and fix in real-world apps (see also podqueue/rails-hidden_autocomplete#2).Other Information
I appreciate that this change might need to be gated behind a new framework default for ActionView, which I'd be happy to work on adding if that's the consensus.