docs/security/autofill-across-iframes.md
Chrome Autofill fills in frame-transcending forms like the following example.
<!-- Top-level document URL: https://merchant.example/... -->
<form>
Cardholder name:
<input id=name>
Credit card number:
<iframe src="https://psp.example/..." allow=autofill>
#document
<input id=num>
</iframe>
Expiration date:
<input id=exp>
Verification code:
<iframe src="https://psp.example/..." allow=autofill>
#document
<input id=cvc>
</iframe>
<iframe src="https://ads.example/...">
#document
<input id=account>
</iframe>
</form>
An autofill fills a form control candidate only if one of the following is true:
The second bullet point is going to be replaced with the new policy-controlled
feature autofill, which allows a page to select which embedded content is
(not) trusted to receive autofill input. Then, an autofill will fill a form
control candidate only if one of the following is true:
autofill is enabled in the candidate's
node document.Starting in Chrome 153 (October 2026), autofill suggestions will include a
warning if they'd fill a field in whose node document autofill is
disabled.
In the long term, the first bullet point (and the warnings) will be removed.
Note that the above conditions are necessary but not sufficient for Chrome to autofill a field. In particular, Chrome does not fill credentials across frames. Chrome also avoids autofilling sensitive data, such as credit card numbers, across origins.
The terminology used above is defined in the appendix.
The policy is implemented in FormForest::GetRendererFormsOfBrowserForm().
The example form above exhibits a common pattern: at the time of writing, about 20% of the payment forms on the web span multiple origins. Most commonly, the cardholder name field's origin is the top-level origin, whereas the credit card number is in a cross-origin iframe hosted by the payment service provider (PSP).
These iframes are typically styled so that they seamlessly integrate with the merchant's page -- the user is not made aware that multiple frames and origins are involved. Yet the different origins isolate the payment information from the merchant's website, which helps them comply with the payment card industry's data security standard (see Section 2.2.3 of the PCI-DSS best practices).
Chrome Autofill's objective is to fill fields that the user expects to be filled, even if those fields cross origins, while protecting the user against possibly malicious sub-frames.
The following table illustrates which fields may be filled in our example form depending on the autofill's origin:
| Autofill's origin | name | num | exp | cvc | account |
|---|---|---|---|---|---|
https://merchant.example | ✔ | ✔ | ✔ | ✔ | ✖ |
https://psp.example | ✔ | ✔ | ✔ | ✔ | ✖ |
https://ads.example | ✔ | ✖ | ✔ | ✖ | ✔ |
An autofill is an operation that fills one or many form control elements in the fully active descendants of a top-level traversable with user attention. An autofill can only be initiated on a focused form control element.
An autofill fills a form control if it changes the form control's value. The value after the autofill is the form control's autofill value.
A form control's origin is its node document's origin. An autofill's origin is the focused form control's origin. The top-level origin is the top-level traversable's active document's origin.
The policy-controlled feature autofill is enabled in a document if the
Is feature enabled in document for origin? algorithm on autofill, the
document, and the document's origin returns Enabled.