Autocomplete Always On!


Screenshot of Safari AutoFill preference panel

What this program does

Patches WebCore (Safari’s HTML engine) to ignore the “autocomplete” flag (a non-standard HTML extension of IE) used by some banks and other web sites to disable a browser’s AutoFill feature on certain pages.

Note: Please be sure you have the “User names and passwords” checkbox selected in the AutoFill Safari preference pane, otherwise it won’t make any difference whether you apply this patch or not!

About security

While the “autocomplete=off” gimmick might increase security for a malware infested OS like Windoze, the opposite is true for a secure OS like MacOS X. Use of this flag is actually a security risk for the Mac user because it encourages users to use weak passwords, or to save them on disk as a plaintext file. Passwords are far more secure sitting encrypted in the Mac’s Keychain (which Safari uses to store this kind of information). If you don’t have to remember and type in the password manually, you are far more likely to use a strong password.

Open source

Autocomplete Always On! is open source. It’s an AppleScript Application and is not saved as “Run Only”, so all you have to do is drop it on top of Apple’s Script Editor app (in Applications -> AppleScript) to see its source code.

Theory of operation

Only two bytes are changed in the WebCore file. There are two instances of the word “autocomplete” in the WebCore file which are surrounded by null characters. One consists of all lower-case characters, the other of all upper-case characters. In both instances we change the “A” character to a lower-case “x”. This effectively disables checking for the “autocomplete=off” flag, so the flag is ignored. We use a one-line perl search-and-replace call to make the patch (and create a backup, if requested), so this program is not dependent on a particular build of WebCore (i.e. we do not assume an absolute location of the bytes to be changed).

Before applying the patch, we first check for the “autocomplete” markers, and exit if none are found. This makes it safe for the user to run this program on a previously patched WebCore. This also prevents over-writing the backup file with a copy of the patched WebCore file. If WebCore is unpatched, the user is offered the option to create a backup of the WebCore file. Since it is unlikely the user will want to revert from this patch, since there is little which can go wrong in the patching process, and since the WebCore file is in a hard to reach location in the bowels of the system, creating a backup is not the default.

If Safari is active while WebCore is patched, Safari will likely not notice the changes until it is restarted. Therefore a check is made to see if Safari is active and, if it is, an offer is made to restart it.

Compatibility

This program was designed for Tiger (MacOS X 10.4), but will probably work for later versions if Apple doesn’t change the location or format of the WebCore file (and if Apple does, this program will refuse to patch the file, so it should be safe to try). Hasn’t been tested with earlier OS versions, but may work (Panther may require full pathnames in the do shell script calls, however).

Requirements

Requires perl, which is installed as part of the BSD system.

Copyright and Warranty Disclaimer

Written by Michael Kisor. All rights reserved. Copyright © 2006 by Michael Kisor. Use at your own risk.

This program is distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Download Now


Visit: A Guide to “Things Macintosh” on the Net...

This page was last updated on 8-April-2006