I believe auto-filling HTTP (insecure) forms should disabled by default with security in mind.
There are substantial security implications to auto-filling website forms (including passwords).
Currently when testing with the built-in LastPass password manager I’m finding that HTTP sites are having their passwords auto-filled.
I assume that it’s the same with the other built-in password managers?
Even auto-filling on a secure website raises questions when the user wishes to remain anonymous / logged out: