Safari extension: autocomplete

Safari has a feature called form autocompletion, or AutoFill, that reads the username and password you type into a web form, saves them to your keychain, and automatically fills them in from the keychain the next time you visit the web form. This feature is completely opt-in: you can enable and disable it in Safari’s preferences, and even when it’s enabled, Safari will ask you before saving the username and password from each web form. Many other web browsers have a similar feature; it appears to have been introduced by Internet Explorer.

Unfortunately, a number of web sites (including my bank, for example) choose to disable autocompletion in a misguided attempt at security. Autocompletion can be disabled by using the attribute autocomplete=off in a web form. The idea behind disabling autocompletion seems to be that it leaves the account holder vulnerable to someone else accessing the computer and logging into the account. I believe that this is misguided for at least two reasons. First, autocompletion is opt-in, so the user can decide whether to save passwords on a particular machine. Anyone who chooses to save their passwords on a public terminal is an idiot. Indeed, anyone who logs in to their bank account on a public terminal deserves to be hacked and lose all their money, because who knows what manner of keyloggers or other malware could be running on the machine? I feel safe turning on AutoFill on my computer because I’m the only person who ever has access to it.

Another reason that disabling autocompletion is misguided is that it encourages the use of weak passwords. For security, I generate very long, random passwords for web sites and save them to my keychain. There’s no way I could memorize even one of my web site passwords, much less all of them. It’s difficult for almost anyone to memorize a bunch of web site passwords. Disabling autocompletion forces the user to type them in manually every time, and this encourages the use of short, easy to remember passwords. Worse, it encourages password sharing among different web sites. Thus, if an attacker can guess or brute-force one password, the attacker suddenly has access of all of a persons’s web site accounts. That’s terrible security.

WebKit, the web engine underlying Safari, respects the autocomplete attribute, and there’s no preference or API to make WebKit ignore the attribute. However, I discovered an excellent script written by Michael Kisor called Autocomplete Always On! that actually patches the WebKit framework itself on your system so that it ignores autocomplete. It works by changing one byte in the file

/System/Library/Frameworks/WebKit.framework/Versions/A/Frameworks/WebCore.framework/Versions/A/WebCore

transforming the string autocomplete into xutocomplete. After that change, WebKit looks for xutocomplete=off but never finds it in the web form, which means autocomplete never gets disabled. WebKit is open source, so we can verify the consequences of the patch.

The only downside of the Autocomplete Always On! script is that it needs to be re-run after any software update to the WebKit framework on your system. I’ve been using the script for years with no trouble … until Safari 5. After installing Safari 5, I discovered that the script was no longer effective in re-enabling autocompletion. This was no flaw in the script, however. Autocomplete Always On! still works as designed on the version of WebKit shipped with Safari 5. The problem is that the Safari 5 binary itself seems to include a new check for the autocomplete attribute in web forms. I’ve verified this behavior in the debugger. If the form contains autocomplete=off, then Safari 5 never calls the (private) WebKit method -[WebHTMLRepresentation elementDoesAutoComplete:], so Safari doesn’t even ask WebKit whether autocomplete is enabled for the web form element. It is possible to patch the Safari binary just like the WebCore binary, after which Safari 5 will call -[WebHTMLRepresentation elementDoesAutoComplete:], making the WebCore patch effective again. Unfortunately, patching the Safari binary breaks codesigning for the application, and the keychain uses codesigning to determine whether an application can access saved passwords.

That’s the bad news. The good news is that Safari 5 also introduced extensions. A Safari extension is like a plug-in, because it can run code inside the browser, but unlike a plug-in, an extension doesn’t run native C or Objective-C code but rather HTML or Javascript code. For example, an extension can specify some Javascript to run on page load. I found a script written by Andreas Huber that removes any autocomplete attributes from a web form, and I cleaned it up a bit for inclusion in a Safari extension. With my autocomplete extension installed, you don’t have to patch WebKit or Safari, because the autocomplete attributes are simply removed from the web page before the browser checks for their existence.

I’m making my autocomplete Safari extension available — in September. No, today! You can download the extension here. To install the extension on your computer, you first need to check “Show Develop menu in menu bar” at the bottom of Safari’s Advanced preferences. Then in the Develop menu, you need to check “Enable Extensions”. After extensions are enabled, you can simply double-click the Safari extension in Finder to install.

Enjoy! In lieu of donations, I am accepting sexual favors. Or an icon.

26 Responses to “Safari extension: autocomplete”

  1. ssp says:

    Nice one! Had to try it right away.

    Unfortunately my bank seems to have found some other method of inconveniencing me :(

  2. JP says:

    I can’t get it to work on any site.

  3. JP says:

    OK, I spoke too soon. The extension did not appear in the Extensions preference pane. So I re-installed it. Now it shows up and seems to work just fine.

    You are entitled to many sexual favors, just not from me.

  4. Jeff says:

    Do you have examples of web sites where it doesn’t work?

  5. ssp says:

    @Jeff:

    Sure, try this one: https://banking.sparda.de/wps/portal/spardaclassic-banking

    It doesn’t seem to use autocomplete=off, so I guess it’s a completely different issue at work there.

  6. Timmy says:

    I hope someone will write a light-weight password manager extension.
    Maybe that someone will be you…

  7. Randy Harris says:

    Previous to Safari 5 I was getting this functionality from GLIMS, it’s great to have it enabled once again.

    Thanks!

  8. Timmy says:

    Did this extension happen to create a generic 512bit public/private key in the login keychain?
    I now have two unidentified keys named simply in my login keychain, with no modification dates or any other identifying info.

  9. Timmy says:

    RE my previous comment about the keys. The name of the keys is “key” (in angle brackets)

  10. Jeff says:

    ssp, I’m having trouble even connecting to that site, I’m just getting errors in German.

    Timmy, the extension is just some javascript, it can’t do anything to the keychain. However, Safari itself may be creating a keypair when installing the extension. And no, I won’t be creating a password manager. ;-)

  11. Timmy says:

    If anyone else out there is interested in password manager extension idea.

    I am envisioning a keychain access type functionality as a toolbar or something within Safari. Then we could store and retrieve passwords for sites that use non-standard forms which can’t be handled by Safari’s built-in auto-fill.

  12. [...] Ya podemos encontrar extensiones para poder descargar vĂ­deos de YouTube , todo YouTube en HTML 5 , Autocompletar paginas tipo Google o Foros entre [...]

  13. Steven says:

    Thank you thank you! I was lost when I found out the binary patch method didn’t work with Safari 5.

  14. Crunc says:

    This plugin doesn’t seem to work with http://nasafcu.com/

    I’ve tried it on two computers (both Macs) and it works on neither. It does show up in the Extension settings, but it doesn’t actually do anything. When I look at the page source I *do* see an autocomplete=”off”, but it doesn’t work. In fact I see that in the source even with this extension installed and enabled, which I presume it shouldn’t? In any case it doesn’t work. I hope you can get it to work with this site. Thanks!

  15. Crunc says:

    More specifically, it’s this page:

    https://ebranch.nasafcu.com/

  16. Jeff says:

    Crunc, I’m not sure why that site isn’t working. However, the autocomplete plugin does seem to be working correctly. Although the page source still contains autocomplete=off, if you look at the elements with Safari’s web inspector, you’ll see that they’re gone. The plugin removes the autocomplete attributes after the page has been loaded. There seems to be something else that’s preventing AutoFill, but I don’t know what it is.

  17. Stefan says:

    This extension works for the german railway connections site (reiseauskunft.bahn.de) which was the #1 site which annoyed me. Thank you very much!

  18. [...] Autocomplete: Stops banks, etc from disabling autocomplete. [...]

  19. Dave says:

    Thanks, your the best! Works like a charm. However, not good enough for sexual favors….I’ll leave that in your hands.

  20. kat says:

    Thanks, but this is not working for most of the sites I’ve tried.
    Examples are on https://myupmc.upmc.com/
    https://mcnet.upmchp.com/healthplanlogin/

    Both have the autocomplete element off, so this extension should work for those sites, but it does not.

  21. mad max says:

    nice, thanks, i was pretty frustrated when the webkit patch didn’t work.

    if you want to make your own extension just link the “end script” to this script (based on the linked to script in the original post):

    function removeAutocomplete(element) {
    var autocompleteNode = element.getAttribute(“autocomplete”);
    if (autocompleteNode != null) {
    element.removeAttribute(“autocomplete”);
    }
    }

    function removeAllAutocomplete(elements) {
    for (var i = 0; i < elements.length; i++) {
    removeAutocomplete(elements[i]);
    }
    }

    removeAllAutocomplete(document.getElementsByTagName('form'));
    removeAllAutocomplete(document.getElementsByTagName('input'));

  22. carl says:

    thank you so much – you made it happen again. works like a charm on my banks!

  23. skab says:

    Wonderful, thanks for your research and the resulting script. This has been bugging me since I installed Safari 5.

  24. Jim Leff says:

    ——–
    “Indeed, anyone who logs in to their bank account on a public terminal deserves to be hacked and lose all their money, because who knows what manner of keyloggers or other malware could be running on the machine? ”
    ——–

    There are times when you absolutely must access bank sites from away. And, fortunately, there’s a trick for that. See link.
    http://jimleff.blogspot.com/2008/06/how-to-enter-sensitive-passwords-on.html

  25. Dennis says:

    Great info and hack. It really sucks that Safari developers think they know best and force us to use the browser the way they think it should be used.

    I can’t believe that we’re at Safari 5 and yet there’s still no option to ‘ask where to save file’ for file downloads! (Or am I wrong? Is it added and I just haven’t found it?). That’s the single missing feature which makes me use Firefox and/or Chrome instead most of the time.

  26. Chris says:

    Great, simple, quick solution (didn’t even require a Safari restart) at a great price. Sexual favors for a non-annoying web banking experience? Heck yes. :-)

    Thanks for sharing the code and making so many people happy. Best of luck to you on collecting payment.