On 2/2/2012 10:48 PM, Ryosuke Niwa wrote: > On Thu, Feb 2, 2012 at 10:43 PM, Charles Pritchard <chuck@jumis.com > <mailto:chuck@jumis.com>> wrote: > > On 2/2/12 10:27 PM, Ryosuke Niwa wrote: >> On Thu, Feb 2, 2012 at 10:20 PM, Charles Pritchard >> <chuck@jumis.com <mailto:chuck@jumis.com>> wrote: >> >> Seems like a very minor risk for high security sites, e.g. >> banking, in identifying form elements. >> In the spirit of giving it some thought: >> >> >> But even for those websites, what could input / textarea elements >> can reveal more than what user sees? > Many sites use <input hidden> elements with what are essentially > image maps for entering a PIN. > > > But any element with display:none will be removed so <input hidden> > should be removed. > > It's becoming more common that top level domains are being > restricted or redirected to country codes. It seems plausible that > domains may further be restricted to HTTPS (SSL) signatures. Going > further, sites may be restricted to those which serve appropriate > security headers against XSS attacks. Disabling the "copy" > mechanism for any portion of a site does risk censorship. But, we > are only examining high security portions of high security sites, > such as <input hidden> and <input type=password>. > > > input[type=password] is a good one. We should probably get rid of the > value in that case? Yes, I think so. I'm working on an application in which I do a lot of copy and paste work. I'll let you know if I come across anything I think should change. -Charles
Received on Saturday, 4 February 2012 23:01:49 UTC