Many Internet sites rely on functionality that uses forms in one form or another. Here on Ghacks, we use forms in the comment section, but sites may use forms for a variety of purposes including bank transfer information, credit card data, a personal message to the webmaster, or to add comments to file upload.
One of the main issues with forms is that it may not be clear right away if the data that is submitted is encrypted or not. Advanced users may check the site’s code to check out the form, but the majority of users probably does not know how to do that.
Google plans to introduce insecure form warnings in the company’s Chrome web browser in the near future. Starting in Chrome 86, the browser will warn users if a form is not secure. Additionally, it will also disable autofill on these forms automatically.
The company notes that insecure forms “are a risk to users’ security and privacy”, and explains that the information that is entered into insecure forms “can be visible to eavesdroppers” and that the data can be read or even changed.
Google Chrome 86 comes with a layered approach of protection when it comes to insecure forms. The first thing that users may notice is that autofill is disabled; Chrome’s password manager and the automatic filling out of username or passwords continues to work through, according to Google. An explanation as to why that is the case has not been provided at the time of writing.
Chrome users may still fill out forms manually and Chrome will show another warning to alert users that the form is not secure. A click on submit does not submit the form right away; Chrome displays an intermediary page first that contains yet another warning stating that “the information you’re about to submit is not secure”. Options to go back or to send the form anyway are provided.
Google Chrome 86 Stable will be released on October 6, 2020, according to the release schedule. Webmasters who still use insecure forms on their sites are encouraged to change that immediately.
Closing words
Insecure form warnings help users identify a problem that they may be unaware of. It is good that it is still possible to send the form, as there may be no other way at times. The fact that passwords are still auto-filled by Chrome is problematic, and it is not clear why Google made the decision to allow the autofilling to happen in that case but not in others considering that passwords are in many cases more important than other form data.