Google Chrome has been disabling autofill in insecure HTTP forms on HTTPS sites, as reported by The Verge. This change was first spotted by security researcher Tavis Ormandy. Ormandy said that the change is a “major security vulnerability” because it makes it easier for attackers to steal your data if you’re filling out an online form on a HTTPS site and your computer is connected to the internet. Chrome has been disabling autofill in insecure HTTP forms on HTTPS sites since January of this year. ..
Starting in Chrome 86, Chrome will automatically block autofill on HTTP forms. Even if your site is secured with HTTPS, if your forms aren’t set to be HTTPS, data can still be transferred over HTTP.
The Problem, and How To Fix It
The problem lies in the fact that HTML forms can sometimes be set to HTTP endpoints, regardless of how the rest of the site is delivered. For example, you may have a perfectly secure HTTPS site, and even redirect HTTP to HTTPS:
On that site, you could have a form like the following, which takes some input and POSTs to an endpoint.
If your forms are done like this, with a relative link instead of a direct one, everything is fine, and the form will post to the HTTPS endpoint automatically. In this case, https://www.example.com/action_page.php.
However, if you instead use a direct link, such as posting to a different subdomain, it’s possible to link an insecure version of your site. This form will always post to the HTTP URL, because that’s what it was told to do.
Of course, the fix is very easy. Simple change the HTTP to HTTPS, and the form will post properly.
If you want to check your code for insecure endpoints, you can do a Control+F search for the following:
