Autofill: What web devs should know, but don’t

Many people know that you can scan your credit card in Mobile Safari. But how many web developers know how to create a form that supports that feature?

Not many I’d bet.

It doesn’t help that Apple has provided zero documentation on how the scan credit card feature works.

But there is another factor at play here. The scan credit card feature is a subset of browser functionality that web developers have long ignored: autofill.

It’s understandable why web developers haven’t paid much attention to autofill. When you’re filling out forms with test data on a regular basis, autofill tends to get in the way.

But autofill is an important feature for our users. Google has found that “users complete forms up to 30% faster” when using autofill.

So let’s learn how autofill works, how to build forms that support cross browser autofill, and take advantage of new features like scanning credit cards.

How does autofill work?

Until recently, there were no standards when it came to autofill. Each browser implemented their autofill features differently and there was little documentation on how a browser determines what content a field expects.

Despite this chaotic situation, browsers seem to have settled on two main approaches:

1. Pre-determined autofill fields

Chrome, Opera and Safari have all taken the approach of identifying high-value form fields and providing a way to manage what the browser will autofill for those fields.

Opera’s Autofill Preference Pane

For example, Opera provides autofill for addresses and credit cards. These can be managed in the preferences as shown above.

Chrome, Opera and Safari all differ on which fields they provide autofill for, but the basic fields needed to complete a checkout process are well supported.

Most users never have to see or edit these preferences in order to utilize autofill. The browser watches the person filling out forms and when it recognizes an address or a credit card, it will ask if the user wants them to save that information to reuse later.

2. Autofill any field

If the previous approach is like a scalpel applied to preselected fields only, this second approach is a chainsaw cutting down every field in view.

When a form is submitted, Microsoft Edge and Firefox will store the value submitted along with the value of the name attribute. If the browser sees a field in the future with a matching name attribute, it will provide autofill options. Firefox also appears to look at the id in addition to the name attribute

Because there are security and privacy concerns with this approach, the autocomplete off value has long been supported to prevent the browser from storing and autofilling sensitive information.

Which approach is better?

While the second approach works for more fields, as a developer, I much prefer the pre-determined autofill fields approach.

It makes it much easier to figure out what information the browser has to autofill. It is also easier to set up test profiles.

Plus, with the second approach, you actually need to submit a form in order for the browser to store values to use with autofill. The browser won’t remember your answers without the form submission.

It also makes me nervous to think that the browser might store credit card information in a non-encrypted way if it can’t clearly identify the type of field.

Given how concerned Microsoft and Mozilla are about security and privacy, I’m certain they’ve put protections in place. But I personally feel more secure looking at an autofill preferences pane and seeing credit card information clearly separated and understood by the browser.

All that said, I don’t know what end users prefer. The second system works in more places, but I’ve seen quite a few support questions where people have been trying to remove their autofill options from the browser history.

It will be interesting to see how Edge and Firefox change when they began to support the new autofill standard.

One behavior to watch for

Sometimes browsers require more than one field of a certain type before they will present you with autofill options.

For example, in the following animated GIF, Safari won’t offer to autofill the single cardholder field, but it will offer to autofill it once there is a second card number field.

However, if the only field being collected is the card number, then Safari will offer the autofill option.

My experience has been that creating isolated test cases for single fields can be challenging because of this behavior. At one point in my testing, I encountered Opera requiring three fields before it would autofill, but I can no longer recreate that behavior.

This should never be an issue for a user so long as your form is written to support autofill (more on this soon), but I note it here in case you’re attempting to troubleshoot autofill and encounter this behavior.

The standards-based approach to autofill

Thankfully, there is a way forward for autofill. HTML5 recently expanded the autocomplete attribute to provide hints to the browser about what content a field expects.

The autocomplete attribute has been around for several years. It started with two values: on and off. By default, the autocomplete attribute is set to on which means that the browser is free to store values submitted and to autofill them in the form.

However, some fields are poor candidates for autofill behavior. In that case, the autcomplete attribute can be set to off to tell the browser that this field should be not autofilled.

Recently, additional values have been added as options for the autocomplete attribute. These new options are called autofill detail tokens. These tokens tell the browser what information the field is looking for.

One type of token is called the autofill field names. The autofill field names tell the browser what type of information a field expects.

For example, one of the autofill field names is organization. The HTML5 specification says that organization refers to:

Company name corresponding to the person, address, or contact information in the other fields associated with this field

If you wanted to tell the browser to autofill the organization field, your code would look something like this:

<input type="text" name="foo" id="bar" autocomplete="organization">

The HTML5 specification has a great table listing all 53 possible autofill field names, what their intended use is, and what type of input must be used with it.

That’s autocomplete at its simplest, but it gets more powerful and a bit more complex.

Shipping and billing

The value of the autocomplete attribute is actually a space-separated list of tokens. So for example, if you wanted to collect shipping information, you would prepend the autocomplete value with the “shipping” token like so:

<textarea name="sa" autocomplete="shipping street-address">
</textarea>
<input type="text" name="sc" autocomplete="shipping address-level2">
<input type="text" name="ss" autocomplete="shipping address-level1">
<input type="text" name="ct" autocomplete="shipping country-name">
<input type="text" name="pc" autocomplete="shipping postal-code">

The billing token works exactly the same way as shipping.

Telephones, email and instant messaging

Another token option applies to telephone, emails and instant messaging. For those services, there is an optional token to indicate if the autofill field name is referring to home, work, mobile, fax or pager.

For example:

<input type="tel" name="home-phone" autocomplete="home tel"> 
<input type="tel" name="work-phone" autocomplete="work tel">
<input type="email" name="home-email" autocomplete="home email"> <input type="url" name="chat" autocomplete="home impp">

Broad versus narrow autofill field names

The specification provides for both broad and narrow autofill field names for many of the types of information.

For example, in addition to the tel field which would be a single input containing a full telephone number, there are also:

  • tel-country-code
  • tel-national
  • tel-area-code
  • tel-local
  • tel-local-prefix
  • tel-local-suffix
  • tel-extension

The specification authors encourage you to use the broad autofill field names as often as possible:

Generally, authors are encouraged to use the broader fields rather than the narrower fields, as the narrower fields tend to expose Western biases. For example, while it is common in some Western cultures to have a given name and a family name, in that order (and thus often referred to as a first name and a surname), many cultures put the family name first and the given name second, and many others simply have one name (a mononym). Having a single field is therefore more flexible.

I agree with this recommendation. And as a practical matter, it means that it is important to pay attention to the table of values and make sure you’re using the right one for the field you’re working with.

Sections

The final feature of the new autocomplete attribute tokens is the ability to declare an arbitrary section to group fields.

A section is defined using a token that starts with section-. What comes after the dash is up to you. The specification provides this example of sections:

<fieldset> 
<legend>Ship the blue gift to…</legend>
<label> Address:
<input name=”bc” autocomplete=”section-blue shipping street-address”>
</label>
<label> City:
<input name=”bc” autocomplete=”section-blue shipping address-level2">
</label>
<label> Postal Code:
<input name=”bp” autocomplete=”section-blue shipping postal-code”> </label>
</fieldset>
<fieldset> 
<legend>Ship the red gift to…</legend>
<label> Address:
<input name=”ra” autocomplete=”section-red shipping street-address”>
</label>
<label> City:
<input name=”rc” autocomplete=”section-red shipping address-level2">
</label>
<label> Postal Code:
<input name=”rp” autocomplete=”section-red shipping postal-code”> </label>
</fieldset>

All the tokens

Put all together, we’ve now got a much more complex set of tokens for the autocomplete attribute. And the order of the tokens matters.

First, you’re either using on and off values OR you’re using autofill field names. You can’t use them at the same time.

If you’re using the autofill tokens, the order is:

[section-](optional) [shipping|billing](optional) [home|work|mobile|fax|pager](optional) [autofill field name]

And keep in mind that [home|work|mobile|fax|pager] only applies for the telephone, email and chat autofill field names.

The longest possible set autofill token might look something like this:

<label for="foo">Mobile phone for delivery</label> 
<input type="text" name="foo" id="foo" autocomplete="section-red shipping mobile tel">

Yay for standards! We’re done, right?

I’m afraid not. My hope is that eventually all of the browsers will support the expanded autocomplete standard, but that’s not the current situation.

I tested browsers on mobile and desktop to see what attributes the autofill appeared to honor. This is what I found:

Thus far, only Chrome and Opera clearly support the new autocomplete features.

Safari appears to have partial support, but because they don’t have documentation, I can’t tell if this is intentional or simply a regular expression match that happens to be looking at the autocomplete attribute as well as name and other attributes.

Safari’s strange behavior

Since the release of iOS 8’s credit card scanning feature, web developers have been reading tea leaves trying to divine what combination of markup Safari is looking for.

Some suggest that you have to have specific values in the name field. Others found values in ids work. Even labels seem to matter:

The Cardholder’s name is quite a bit more tricky. We messed around with various IDs for a long time and almost gave up. We couldn’t figure out an ID that would cause Card Scan to populate it. After much frustration we finally discovered that the TEXT of the label associated with the field matters. Setting the label text to “Name on card” was the magic trick.

I’ve done quite a bit of testing, and I’m still not confident that I understand fully what Safari is doing. However, I’ve seen enough to be able to draw some basic conclusions:

Contact and address fields support autocomplete

Safari recognizes the form I created that only includes autocomplete attributes. The moment I start typing in the first field, it offers to fill in the form with my contact information.

This all works as expected with a couple of caveats.

First, it is unclear what Safari is using to make decisions about what information to autofill from my contact in the Mac’s address book. My job title is filled in, but the company I work for isn’t.

Second, it doesn’t give users the option to select which information they want to use. My contact contains both my home address and my work address. Safari only wants to autofill my home address. I’m out of luck if I want to ship something to the office.

Payment fields are completely wonky

When it comes to the payment fields, Safari’s behavior changes completely. The autocomplete attribute is ignored.

Instead, there is some sort of magical heuristic that Safari is using. And because I’m not an Apple magician, it has been difficult to discern what Safari is actually doing:

In the video above, I edit the labels of two fields. Both have autocomplete set as well as name and id which should help Safari identify the field.

And yet, Safari doesn’t recognize the fields until the labels are changed to Name on Card and Credit Card Number. As mentioned earlier, Safari needs to see more than one field to trigger autofill.

Then I try changing the label to CCNumber which continues to work. However, changing it to CC Number breaks the autofill.

Basically, Safari has an unpublished list of terms that it is searching for. Fortunately, Jacques Caron was able to extract a list of strings from the iOS Simulator that Safari appears to be looking for:

  • card number
  • cardnumber
  • cardnum
  • ccnum
  • ccnumber
  • cc num
  • creditcardnumber
  • credit card number
  • newcreditcardnumber
  • new credit card
  • creditcardno
  • credit card no
  • card#
  • card #
  • cvc2
  • cvv2
  • ccv2
  • security code
  • card verification
  • name on credit card
  • name on card
  • nameoncard
  • cardholder
  • card holder
  • name des karteninhabers
  • card type
  • cardtype
  • cc type
  • cctype
  • payment type
  • expiration date
  • expirationdate
  • expdate
  • month
  • date m
  • date mo
  • year
  • date y
  • date yr

In my experiments, both:

<input type="text" name="nameoncard"> 
<input type="text" name="ccnumber">

and:

<label for="foo">Name on Card</label> 
<input type="text" name="foo" id="foo">
<label for="bar">Credit Card Number</label>
<input type="text" name="bar" id="bar">

will trigger Safari’s autofill and the scan credit card feature on iOS. However, putting the same values into the autocomplete attribute will not work.

Building a cross browser autofill form

Given what we’ve learned, is it truly possible to build a form that supports autofill across browsers? I think it is.

Or at least, we can get very close by taking these four steps.

1. Add autocomplete attributes

This is the future of autofill. Browsers that don’t recognize the values will ignore them.

This is progressive enhancement at its best.

2. Use common values for input name attributes

To take advantage of autofill for Firefox and Edge users, you have to hope that the values you pick for the name attribute match what developers on other sites have used.

One way to do this would be to survey popular sites and see what they use and then use the same values.

Or perhaps use the same values as the autocomplete field in hopes that as more web developers become familiar with the standard that they will start using those names for their fields.

Unfortunately, there is no way to guarantee that your Firefox and Edge users will have previously visited a form that uses the same name values as your form does.

3. Add name and/or label values that match the list Safari is looking for

Using the list that Jacques Caron was able to extract, you can modify the values for the name attribute or the label to match what Safari expects.

4. Make autofill part of your test plans

Lately, I’ve been asking audiences to raise their hands if autofill is part of their test plans. No one does.

I’ve been working on the web since 1996, and I have yet to see autofill as part of the test plan.

I suspect that autofill is a blindspot for web developers and designers. Therefore, it is critical we test our products to ensure that they work well with autofill.

The final form

Here is a sample form that supports autofill on Chrome, Safari, Opera, Firefox and Edge:

To see it in action, you’ll need to view it on CodePen under https or the browser won’t fill in the credit card information.

I’ve also built a form with all 53 fields in the autocomplete specification. No browser currently supports all 53 fields.

The future of autofill and forms

There is a lot of movement from browser makers towards tackling the problem of web payments. The Payment Request API is being co-authored by Mozilla, Microsoft, Google and Facebook.

Apple is participating in the Web Payments Working Group which is where the Payment Request API is being hashed out. So it appears that Apple is at least nominally onboard with the Payment Request API.

Plus, rumor has it that Apple Pay will be available on mobile web for the holiday shopping season which makes it feel like this new momentum around web payments might be real this time.

This renewed focus on streamlining the web checkout process has me optimistic that support for autofill detail tokens will grow in the near term. And these tokens make creating forms that work with autofill so much simpler.

And most importantly, supporting autofill will make filling out forms less tedious for our users and lead to increased sales for e-commerce sites.


Originally published at blog.cloudfour.com on May 19, 2016.