Google introduces insecure form warnings in Chrome 86 Stable
Many Internet sites rely on functionality that uses forms in one form or another. Here on Ghacks, we use forms in the comment section, but sites may use forms for a variety of purposes including bank transfer information, credit card data, a personal message to the webmaster, or to add comments to a file upload.
One of the main issues with forms is that it may not be clear right away if the data that is submitted is encrypted or not. Advanced users may check the site's code to check out the form, but the majority of users probably does not know how to do that.
Google plans to introduce insecure form warnings in the company's Chrome web browser in the near future. Starting in Chrome 86, the browser will warn users if a form is not secure. Additionally, it will also disable autofill on these forms automatically.
The company notes that insecure forms "are a risk to users' security and privacy", and explains that the information that is entered into insecure forms "can be visible to eavesdroppers" and that the data can be read or even changed.
Google Chrome 86 comes with a layered approach of protection when it comes to insecure forms. The first thing that users may notice is that autofill is disabled; Chrome's password manager and the automatic filling out of username or passwords continues to work though, according to Google. An explanation as to why that is the case has not been provided at the time of writing.
Chrome users may still fill out forms manually and Chrome will show another warning to alert users that the form is not secure. A click on submit does not submit the form right away; Chrome displays an intermediary page first that contains yet another warning stating that "the information you're about to submit is not secure". Options to go back or to send the form anyway are provided.
Google Chrome 86 Stable will be released on October 6, 2020 according to the release schedule. Webmasters who still use insecure forms on their sites are encouraged to change that immediately.
Insecure form warnings help users identify a problem that they may be unaware of. It is good that it is still possible to send the form, as there may be no other way at times. The fact that passwords are still autofilled by Chrome is problematic, and it is not clear why Google made the decision to allow the autofilling to happen in that case but not in others considering that passwords are in may cases more important than other form data.
Now You: What is your take on Google's decision?
This is their game. They profess to invoke something to keep you safe but that means they have to spy on the thing you do. The more safety and convenience they invent the more spying they can perform.
do newer firefox, (i mean firefox Quantum), open http websites without warning or any issues?
can people submit forms, comments, messages etc in these websites without warning, or impossibility and problem?
Yes you can access HTTP sites using Firefox.
I fill out tons of online forms regarding environmental/convervation issues but use Roboform to fill them out. I trust it. Wouldn’t use a browser or little extension formfiller. That just doesn’t seem smart compared to a trusted password manager doing it for you.
They hid (only on hover) in the search results that a site is not using “https://” and then they are complaining about their own results…Pathetic.
They should show the protocol and punish (pushing down) “http://” sites in the search results for a start.
Mozilla had this warning already.
Would you trust a mafia with your house and pets? Then why your computer and personal files?
The choices here are big brother (Google, Microsoft) or big brother’s little brother (Mozilla). Or something sane for a change.
I run a chat applcation and I’m being forced to put a warning for Chrome M86 users. When they focus the chat input field, Google says them that the form is insecure, no matter what hacks I use to disable autocomplete
Terrible…can’t even login without this popping up, so it is not really about forms.
Any chance users can white-list our own URLs?