Starting in Chrome 86, Chrome will automatically block autofill on HTTP forms. Even if your site is secured with HTTPS, if your forms aren’t set to be HTTPS, data can still be transferred over HTTP.
The Problem, and How To Fix It
The problem lies in the fact that HTML forms can sometimes be set to HTTP endpoints, regardless of how the rest of the site is delivered. For example, you may have a perfectly secure HTTPS site, and even redirect HTTP to HTTPS:
On that site, you could have a form like the following, which takes some input and POSTs to an endpoint.
If your forms are done like this, with a relative link instead of a direct one, everything is fine, and the form will post to the HTTPS endpoint automatically. In this case, https://www.example.com/action_page.php.
However, if you instead use a direct link, such as posting to a different subdomain, it’s possible to link an insecure version of your site. This form will always post to the HTTP URL, because that’s what it was told to do.
Of course, the fix is very easy. Simple change the HTTP to HTTPS, and the form will post properly.
If you want to check your code for insecure endpoints, you can do a Control+F search for the following:
