Autocomplete security improvement

[iuriemalai]

Using the template resources/views/vendor/statamic/forms/fields/default.antlers.html, to avoid the browser warning about the missing autocomplete attribute for input fields and to prevent it from saving confidential data when the user is not logged in, I (suggest to) modify the line {{ autocomplete ?= 'autocomplete="{autocomplete}"' }} as in example below. What you think about this? Don't you think this should happen by default?

Why this matters
Privacy & Security: Prevents browsers from saving or suggesting sensitive form input values for non-authenticated users. This is especially relevant for public/guest forms.

Accessibility compliance: Avoids browser console warnings about missing autocomplete attributes.

Developer friendly: Still allows developers to explicitly set autocomplete, and respects that setting — but only for authenticated users.

Result
Logged-in users: can benefit from developer-defined autocomplete values.
Logged-out users: autocomplete is safely disabled (autocomplete="off"), reducing autofill risks.

<!-- /vendor/statamic/forms/fields/default.antlers.html -->
<input
    x-model="form.{{ handle }}"
    @change="form.validate('{{ handle }}')"
    :aria-invalid="form.invalid('{{ handle }}')"
    :class="{
        'border-red-600 focus:border-red-600 outline-red-600/50!': form.invalid('{{ handle }}'),
        'border-neutral focus:border-primary': !form.invalid('{{ handle }}')
    }"
    class="w-full rounded-sm caret-primary"
    id="{{ handle }}"
    name="{{ handle }}"
    type="{{ input_type ?? 'text' }}"
    {{ placeholder ?= 'placeholder="{placeholder}"' }}
    {{ instructions ?= 'aria-describedBy="{handle}-instructions"' }}
    {{ character_limit ?= 'maxlength="{character_limit}"' }}
    {{ autocomplete ? (logged_in ? 'autocomplete="{autocomplete}"' : 'autocomplete="off"') : 'autocomplete="off"' }}
    {{ old ?= 'value="{old}"' }}
/>
<!-- End: /vendor/statamic/forms/fields/default.antlers.html -->

[edalzell]

Sounds reasonable to me, you could PR that?

[iuriemalai]

Ok.

[jasonvarga]

If a missing autocomplete attribute is a problem, then sure, it's fine to add it.

But I don't think we need to worry about the logged in/out logic. For example, if I'm on a form where its asking for my name, it would be nice for my browser to suggest my name whether I'm logged in or out.

[iuriemalai]

Even if you're on a public computer? There may be other sensitive information that the browser can automatically save. That's not good.