I think not all custom fields should be automatically filled in when filling a form. The rationale is that some login and card entries need to include some information that is not needed for login/payment. Examples include two-factor authentication recovery codes and card pin codes which need to be stored securely but should almost never be filled on a form. Currently they get filled in if a malicious form has a hidden field named “
pin” or “
recovery codes”. Using notes field for storing these fields is not an option because pins and recovery codes act like passwords so they should be hidden when browsing entries.
I think there are three easy ways to achieve this: Either add a checkbox next to each custom field which controls whether the field gets automatically filled or not, or add a field name prefix which prevents automatic filling, or force everyone to use
csv= prefix for all automatically filled fields.
On a related note, the user interface should inform the user better that the custom fields are actually used to automatically fill in forms and that they are not just additional info related to the entry.