Form_with - first field value is overriden with a token-like string

I have recently been having to include a dummy field in forms generated by form_with. The first hidden field value is overwritten by some token-like string. Here is an example of the code:

And of the result:

I’m running the rails master branch (6.1.0alpha) and I attempted to fix it for a while before deciding the easiest course of action was to just include a dummy field to serve as a sacrificial victim to whatever programming god is overriding the values of the first field in my form_with. I’m sure I am doing something silly to cause this, but for about 5 hours of debugging, I couldn’t figure out what. This was my most WTF Rails story of late, maybe this isn’t the right venue for it, but it felt in the spirit of things when I thought of it.


This is exactly the kind of thing we’re looking for here. Thanks for reporting it!


I have seen this too — most commonly my hidden “method” fields are zapped.

I think it may be to do with Turbolinks, but can’t confirm. I have watched a correctly-formatted form bubble up from form_with (or form_for) using debugger, only to have it show up wrong by the time it arrives in the browser.

1 Like

I also might wonder about Turbolinks here, or rails-ujs.

My guess is that something Javascripty is trying to insert a fresh CSRF token (or similar) into the form. There’s a classic Rails security error that pops up when folks are trying to avoid hard browser refreshes, where the CSRF token in the meta tag doesn’t change so form submission gets you expired authenticity token errors. Whatever is causing this seems like it’s trying to remove this issue by inserting a fresh CSRF token, but misidentifying the hidden field to target. My next guess is that the token insertion code is assuming that it owns the first hidden field in the form, which works great under assumed conditions but works poorly when working with forms created outside of this code’s assumed form creation path.

1 Like

I am used to this.

Always setting method params in forms


@fordfischer From your inspector screenshot, it looks like you are using Firefox, yes? If so, I believe you are experiencing this Firefox bug, which has been unfortunately marked as stale:

But if you and others share your experiences there, maybe we could get some more attention on it.

1 Like

I am indeed using Firefox for local development - thank you for bringing this up, I would have never thought of this, browser autocomplete overriding hidden fields.

So I assume FireFox is seeing authenticity tokens get set per form and then on page reloads if there is a hidden field, maybe Firefox sets the value of the hidden form via autocomplete the the value of the old authenticity token before the new authenticity token field is added? If that is not what’s happening, I’m not quite sure I can describe it accurately in enough detail to communicate how to replicate.

I can’t say for sure, but I assume that’s what is happening as well. However, at this point, I think just describing the circumstances that produce the bug would be helpful to the Mozilla folks. Once they can reliably reproduce it, I’m sure they will track down the root cause.

I have also experienced this with Firefox. It is maddening. Can’t figure it out.

When using Firefox hidden input values are seemingly arbitrarily overwritten. Sometimes it happens, sometimes it doesn’t. And, after I added the dummy abc123 input, it got the same crazy value that the provider had previously.

      = simple_form_for @api_key do |f|
          = hidden_field_tag :abc123
          = f.input :provider, as: :hidden, wrapper: false