W3C home > Mailing lists > Public > www-style@w3.org > December 2006

RE: [CSS3UI] Concerned about Appearance:Password

From: Robert Chapin <w3-list@info-svc.com>
Date: Mon, 4 Dec 2006 03:59:35 -0500
To: <www-style@w3.org>
Message-Id: <20061204085935.F302922693B@smtp1.dnsmadeeasy.com>

But it's not just "an input" if the phisher can modify its behavior through
CSS.  This is especially dangerous when 'type=password' has been
blacklisted.  It may not be a good policy, but it works, and CSS3 will break
it.
_____________
Robert Chapin
Chapin Information Services, Inc. 
-----Original Message-----
From: www-style-request@w3.org [mailto:www-style-request@w3.org] On Behalf
Of Patrick H. Lauke
Sent: Saturday, December 02, 2006 6:07 PM
To: www-style@w3.org
Subject: Re: [CSS3UI] Concerned about Appearance:Password


Robert Chapin wrote:
>  
> If UAs interpret this property as a display feature for non-password 
> inputs, then a phisher could create a quasi-password input under CSS3 
> that appears identical to a legitimate password input.

But if a phisher can already generate an input and then route the form to
one of their own sites to store the input, or lure an unsuspecting user to a
page that's theirs in the first place, I don't see how using CSS would make
it any easier for them than just creating an actual password input. Or am I
missing something?

P
--
Patrick H. Lauke
__________________________________________________________
re.dux (adj.): brought back; returned. used postpositively [latin : re-, re-
+ dux, leader; see duke.] www.splintered.co.uk | www.photographia.co.uk
http://redux.deviantart.com
__________________________________________________________
Web Standards Project (WaSP) Accessibility Task Force
http://webstandards.org/
__________________________________________________________
Received on Monday, 4 December 2006 09:00:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 27 April 2009 13:54:47 GMT