Chrome Autofill/Autocomplete no value for password

javascript google-chrome html

This seems to be a bug in Chrome. When Chrome auto-fills a password on an initial page load (but not a refresh), the value appears in the form field on-screen, but querying passwordField.value in Javascript returns an empty string. If you depend on seeing that value in Javascript, this prevents you from doing so. Once the user does any other action on the page, such as clicking anywhere on the page, the value suddenly becomes visible to Javascript.

I'm not actually 100% sure if this is a bug, or if there is a security reason for doing this such as preventing a hidden frame from stealing your password by tricking the browser into filling it in.

A workaround that we have used is to detect the background color change that Chrome makes to fields that it has auto-filled. Chrome colors the background of auto-filled fields yellow, and this change is always visible to Javascript even when the value is not. Detecting this in Javascript lets us know that the field was auto-filled with a value, even though we see the value as blank in Javascript. In our case, we have a login form where the submit button is not enabled until you fill in something in the password field, and detecting either a value or the auto-fill background-color is good enough to determine that something is in the field. We can then enable the submit button, and clicking the button (or pressing enter) instantly makes the password field value visible to Javascript because interacting with the page fixes the problem, so we can proceed normally from there.


Working Answer as of July 8, 2016

Adam correctly stated this is a bug (or intended behavior). However, none of the previous answers actually say how to fix this, so here is a method to force Chrome to treat the autocompleted value as a real value.

Several things need to happen in order, and this needs to only run in Chrome and not Firefox, hence the if.

First we focus on the element. We then create a new TextEvent, and run initTextEvent, which adds in a custom string that we specify (I used "@@@@@") to the beginning of the value. This triggers Chrome to actually start acting like the value is real. We can then remove the custom string that we added, and then we unfocus.

Code:

input.focus();

var event = document.createEvent('TextEvent');

if ( event.initTextEvent ) {

    event.initTextEvent('textInput', true, true, window, '@@@@@');

    input.dispatchEvent(event);

    input.value = input.value.replace('@@@@@','');

}

input.blur();

Edit August 10, 2016

This only works right now in Chrome on Windows and Android. Doesn't work on OSX. Additionally, it will stop working at all in Sept 2016, according to:

https://www.chromestatus.com/features/5718803933560832

Also, I've opened a Chromium ticket.

https://bugs.chromium.org/p/chromium/issues/detail?id=636425

As of August 12, a member of the Chrome team said on the above ticket that the behavior won't be changing because they don't consider it a bug.

Long-term Work-Around Suggestion:

That said, the current behavior has been tweaked from when it was first implemented. The user no longer has to interact with the password input for the value to be reported. The user now just needs to interact (send a mouse or keyboard event) with any part of the page. That means that while running validation on pageload still won't work, clicking on a submit button WILL cause Chrome to correctly report the password value. The work-around then, is to revalidate all inputs that might be autocompleted, if that is what you are trying to do, on submit.

Edit December 13, 2016:

A new Chromium ticket has been opened and is being received better. If interested in changing this behavior of Chrome's, please star this new ticket:

https://bugs.chromium.org/p/chromium/issues/detail?id=669724


Continuing from what Andy Mercer said, here's my work around. Like a lot of people, I don't need the actual password value. I really just need to know that the password box has been autofilled, so that I can display the proper validation messages.

Personally, I would not use suggested solution to detect the background color change cause by Chrome's autofill. That approach seems brittle. It depends on that yellow color never changing. But that could be changed by an extension and be different in another Blink based browser (ie. Opera). Plus, there's no promise Google wont use a different color in the future. My method works regardless of style.

First, in CSS I set the content of the INPUT when the -webkit-autofil pseudo-class is applied to it:

input:-webkit-autofill {
  content: "\feff"
}

Then, I created a routine to check for the content to be set:

const autofillContent = `"${String.fromCharCode(0xFEFF)}"`;
function checkAutofill(input) {
    if (!input.value) {
        const style = window.getComputedStyle(input);
        if (style.content !== autofillContent)
            return false;
    }

    //the autofill was detected
    input.classList.add('valid'); //replace this. do want you want to the input
    return true;
}

Lastly, I polled the input to allow the autofill time to complete:

const input = document.querySelector("input[type=password]");

if (!checkAutofill(input)) {
    let interval = 0;
    const intervalId = setInterval(() => {
        if (checkAutofill(input) || interval++ >= 20)
            clearInterval(intervalId);
    }, 100);
}

Related

Dependency injection using Azure WebJobs SDK?
How to make div occupy remaining height?
How can you rotate text for UIButton and UILabel in Objective-C?
Reconstruct / get source code of a PHP function
std::set with user defined type, how to ensure no duplicates
What is the meaning of %r?
Implementing a method taking a block to use as callback
Merge unequal dataframes and replace missing rows with 0
Evaluate a string with a switch in C++ [duplicate]
AngularJS resource promise
How do I update states `onChange` in an array of object in React Hooks
How can I make a link from a <td> table cell