This project is archived and is in readonly mode.

#6722 new
Florent Viard

Add autocomplete="off" Attribute to the authenticity_token of form_tag

Reported by Florent Viard | April 19th, 2011 @ 09:49 AM

Today, Chrome and maybe other brothers also remember hidden fields in forms when using the AutoFill/AutoComplete feature (like for keeping user credentials).

And so, when using form_tag in RoR with the authenticity token feature enabled, the form submission could fail with an invalid token error because Chrome will try to autocomplete the authentication_token hidden field with an old value.

See for example those bugs in redmine:
http://www.redmine.org/issues/4825
http://www.redmine.org/issues/5915
http://www.redmine.org/issues/5230

An easy fix will be to add the autocomplete="off" attribute to the hidden input field used for the authenticity token.

To fix this, in "rails/actionpack/lib/action_view/helpers/form_tag_helper.rb":
Add ' :autocomplete => "off" '
to ' tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => token) '
in the function: def token_tag(token)

Comments and changes to this ticket

  • Greg Molnar

    Greg Molnar May 16th, 2011 @ 04:47 PM

    As far as I know the autocomplete attribute is not valid in xhtml so not sure if this would be a good idea to add.

  • Florent Viard

    Florent Viard May 16th, 2011 @ 05:04 PM

    It is true, but this problem is really bad when you suffer of it and there is a lot of bug reports related to it.

    I think that it is not so bad to add it as a temporary workaround until the major internet browsers fix it for hidden fields or that every one will switch to HTML5.
    (by the way, i'm not sure, but is it really not yet valid? http://www.w3.org/Submission/2005/SUBM-web-forms2-20050411/#the-aut...)

    I read that a lot of web sites (mainly banks) use it.

  • Greg Molnar

    Greg Molnar May 16th, 2011 @ 09:37 PM

    The site you linked to is just a submission of planning changes in the w3c spec. unfortunately it won't be valid soon. as far as I know rails has a principle as it generates valid xhtml markup and this would be cross that. although you can easily add a javascript to your site to add this attribute to the token's input.

  • klkk

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Pages