Chrome Disables Autofill In Insecure HTTP Forms on HTTPS Sites

Starting in 86, will automatically block autofill on forms. Even if your site is secured with HTTPS, if your forms aren’t set to be HTTPS, data can still be transferred over .

The Problem, and How To Fix It

The problem lies in the fact that HTML forms can sometimes be set to HTTP endpoints, regardless of how the rest of the site is delivered. For example, you may have a perfectly secure HTTPS site, and even redirect HTTP to HTTPS:

https://www.example.com

On that site, you could have a form like the following, which takes some input and POSTs to an endpoint.

<form action="/action_page.php" method="post">
  <label for="fname">First name:</label><br>
  <input type="text" id="fname" name="fname"><br>
  <label for="lname">Last name:</label><br>
  <input type="text" id="lname" name="lname">
</form>

If your forms are done like this, with a relative link instead of a direct one, everything is fine, and the form will post to the HTTPS endpoint automatically. In this case,  https://www.example.com/action_page.php.

However, if you instead use a direct link, such as posting to a different subdomain, it’s possible to link an insecure version of your site. This form will always post to the HTTP URL, because that’s what it was told to do.

<form action="http://www.example.com/action_page.php" method="post">
  <label for="fname">First name:</label><br>
  <input type="text" id="fname" name="fname"><br>
  <label for="lname">Last name:</label><br>
  <input type="text" id="lname" name="lname">
</form>

Of course, the fix is very easy. Simple change the HTTP to HTTPS, and the form will post properly.

If you want to check your code for insecure endpoints, you can do a Control+F search for the following:

action="http://

You might also like More from author

Comments are closed.