W3C home > Mailing lists > Public > www-style@w3.org > December 2006

Re: [CSS3UI] Concerned about Appearance:Password

From: Matthew Raymond <mattraymond@earthlink.net>
Date: Mon, 04 Dec 2006 20:39:13 -0500
Message-ID: <4574CDC1.9020908@earthlink.net>
To: Robert Chapin <w3-list@info-svc.com>
CC: www-style@w3.org

Robert Chapin wrote:
> But it's not just "an input" if the phisher can modify its behavior through
> CSS.  This is especially dangerous when 'type=password' has been
> blacklisted.  It may not be a good policy, but it works, and CSS3 will break
> it.

   I think I understand what you're getting at. You think that people
will mistake a regular <input type="text"> styled with "display:
password" for an <input type="password">. There are two problems with
this line of thinking.

   First, you give people too much credit. I was watching Heroes a few
days ago, and in the episode someone entered a series of passwords where
the letters were plainly visible. Don't assume that people will even
notice that the characters aren't masked. We're talking about people who
think the blue "e" is the Internet.

   Second, I don't see how CSS can be injected into most sites. You
could claim that someone could use the |style| attribute to add styling,
but it would be easy to just drop all |style| elements. It would also be
fairly simple to filter out "display: password". Since you're indicating
that the webmaster is already filtering out <input type="password">,
<input style="display: password"> shouldn't be that much harder.

   I don't understand what this has to do with passwords being
automatically filled by the browser, though. Clearly, the browser
decides what element to insert the password into based on markup, not
Received on Tuesday, 5 December 2006 01:39:39 UTC

This archive was generated by hypermail 2.3.1 : Monday, 2 May 2016 14:27:27 UTC