Chrome’s Autofill and honeypot fields
Ai developers typically add a hidden “honeypot” field to forms to avoid spam bots. Spam bots usually fill out all of the fields on a form, including the honeypot field. When the honeypot field is filled out and the form is submitted, the form information is not captured.
While doing some cross-browser form testing for several sites I noticed that in the Chrome browser form information wasn’t always being captured.
Upon further investigation I learned that Chrome’s Autofill feature is causing this problem. Chrome’s Autofill fills out the honeypot field and makes the form think that it has been filled out by a spam bot. Since this may result in a significant amount of legitimate form submissions not reaching their intended target, it is important to test all forms with Chrome’s Autofill in mind. Developers need to provide a solution that successfully curbs malicious spam bots without preventing legitimate form submissions.
I’ve been using a honeypot technique on my site for years and just discovered this problem. Do you have any solutions? Maybe renaming the hidden field?
After a year, I don’t think Chrome is any closer to acknowledging this issue. So, the only real solution I’ve found so far is to add an autocomplete=”off” attribute/value to the form tag.