Add autocomplete="off" to all generated hidden fields (fixes #42610) b...
source link: https://github.com/rails/rails/pull/43280
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Summary
Firefox has a longstanding bug where it may populate hidden inputs without autocomplete="off" with completely random values. Since Rails uses hidden fields extensively for e.g. CSRF protection and non-standard HTTP methods via _method, Firefox users interacting with otherwise-fine Rails apps will see random "Invalid Authenticity Token" errors and form inputs getting interpreted as the incorrect HTTP method, among other unexpected behavior. Adding autocomplete="off" does not appear to have any negative consequences for other browsers, and is valid HTML. There's more discussion and links at: #42610
I recently bundled my workaround for this into a gem for Rails 6.1 apps, rails-hidden_autocomplete, which I've now reworked into this PR so that it can benefit all Rails users & developers, since this bug is currently extremely frustrating to diagnose and fix in real-world apps (see also podqueue/rails-hidden_autocomplete#2).
Other Information
I appreciate that this change might need to be gated behind a new framework default for ActionView, which I'd be happy to work on adding if that's the consensus.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK