Bug 425145 implements a preference that allows the user to override `autocomplete=off` Bug 956906 asks for the preference to be turned on by default. As per Justin's comment on bug 425145 comment 53, Firefox supports doorhangers -- non-modal notifications that turn up on the location bar and can be addressed if the user feels like it. We probably can add a doorhanger for this feature, too, if autocomplete is being overridden, and the page uses autocomplete=true, then display a doorhanger that says something like "This website wished to block form autofill, however your preferences overrode that. Do you wish for this behavior to continue?" or similar.

Realized a little hitch: The password manager is in the toolkit, and the toolkit doesn't seem to have access to the browser variable since it's ... well ... the toolkit. (PupupNotifications requires[1] gBrowser) Any idea how I could add some code here that will run *if* there is a browser, and where would I get access to the browser variable in that case? I could possibly add code for this in a small module under /browser, and import it here. Not sure how to go about that though. [1]: https://developer.mozilla.org/en-US/docs/Using_popup_notifications

WAG: Send out an observer notification from toolkit, identifying the content page with autocomplete=off. Then it's up to an observer in the front-end UI on how to handle the notification.

(In reply to Philip Chee from comment #5) > WAG: Send out an observer notification from toolkit, identifying the content > page with autocomplete=off. Then it's up to an observer in the front-end UI > on how to handle the notification. Thanks, this works well :D If this is implemented we'll need a "learn more" page for it, like this one: https://support.mozilla.org/en-US/kb/how-does-content-isnt-secure-affect-my-safety?as=u&utm_source=inproduct

I just realized that there are a bunch of different doorhangers that we can support: - When submitting a form with autocomplete on without the override, have a popup doorhanger that asks "This page has disabled password saving, do you still wish to save the password"?, with the options: - No - No, and don't show this message again - Yes - Do not allow websites to disable password saving - Not Now - When submitting a form with autocomplete on *with* the override, have a non-popup doorhanger (dismissed:true) that asks "This page wished to disable password saving, however your preferences overrode that" - Continue to override - Stop overriding - Not Now (The wording could be improved) Needinfo'ing Justin since it was initially his idea. Also, if someone could make icons for this it would be great.

This seems like overkill/potentially annoying. IMO we should fix bug 956906 (or some form of it - possibly just the "save password" part).

Yeah. We should either ignore the attribute entirely (956906), or treat it as a cue to prompt to fill the page manually. (Don't have the bug # handy, but it's been a long-standing security quest to have a way to disable automatic formfill, and instead have a "do you want to log in on this page [yes] [no]" kind of prompt. If we had that, automatic formfill + autocomplete=off could use it.)

(In reply to Justin Dolske [:Dolske] from comment #9) > and instead have a "do you want to log in on this page > [yes] [no]" kind of prompt. Yeah, that would work, and probably can be implemented via doorhangers again :) If you find that bug, let me know, I might work on it.